Product Pre Release Security Validation Checklist v1.0

v 1.0
Product Pre-Release
Security Validation
Checklist

CC BY-NC-SA 4.0, 2018 – IoT Security Initiative – www.iotsi.org
This license lets others remix, tweak, and build upon this work non-commercially, as long as they credit the IoT Security Initiative and
this work and license their new creations under identical terms.
YOU ARE FREE TO
Share: Copy and redistribute the material in any medium or format.
Adapt: Remix, transform, and build upon the material.
The licensor cannot revoke these freedoms as long as you follow the license terms.
UNDER THE FOLLOWING TERMS
Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any
reasonable manner, but not in any way that suggests the licensor endorses you or your use.
NonCommercial: You may not use the material for commercial purposes.
ShareAlike: If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
No additional restrictions: You may not apply legal terms or technological measures that legally restrict others from doing anything the
license permits.
NO WARRANTY
This material is furnished on an "as-is" basis. No warranties of any kind are made, either expressed or implied, as to any matter including,
but not limited to, warranty of ﬁtness for purpose or merchantability, exclusivity, or results obtained from use of the material. No
warranties of any kind are made with respect to freedom from patent, trademark, or copyright infringement.
COMPLETE LICENSE TERMS & CONDITIONS CAN BE FOUND AT
https://creativecommons.org/licenses/by-nc-sa/4.0/
1www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative

Vendor security testing and delivery requirements specified in contracts
Vendor secure product development program attestation
End-to-end data security reviewed and validated
End-to-end data privacy reviewed and validated
Software design and architecture security reviewed and validated
Network design and architecture security reviewed and validated
Product/service security requirements reviewed and/or provided
All solution custom code tested for vulnerabilities with static code analysis
Solution authentication and session design and technology reviewed and validated
Functional user security configuration settings design reviewed and validated
Solution password creation, storage, and reset design reviewed and validated
API security reviewed and validated
Device provisioning design and architecture reviewed and validated
User provisioning design and architecture reviewed and validated
Software/firmware-update model design and architecture reviewed and validated
Device embedded system security controls reviewed and validated
Device vulnerability assessment conducted
Security patch levels of all third party and open source production software current
Product/service security features/functions testing conducted
Device final-firmware package scanned for vulnerabilities
Back-end network, systems, and operations security controls reviewed and validated
Back-end network and system services vulnerability assessment
Web services dynamic vulnerability assessment
Penetration testing of end-to-end solution
Solution cryptographic key stored and managed securely
Source code repository security and access management in place
All security findings sufficiently remediated and managed
Given an end-to-end solution, ensure the following are accounted for prior to Production release or Go-Live. Require
below list items based on risk and testing process. Use ongoing for subsequent releases and as changes warrant.
COMPLETION STATUSSECURITY ACTIVITY
1 NA Pending Complete
2www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative

Product Pre Release Security Validation Checklist v1.0

More Related Content

What's hot

Similar to Product Pre Release Security Validation Checklist v1.0

Recently uploaded

Product Pre Release Security Validation Checklist v1.0