SlideShare a Scribd company logo

Product Pre Release Security Validation Checklist v1.0

Mike Horton
Mike Horton

The document is a license from the IoT Security Initiative that allows others to share, adapt, and build upon the work as long as they provide attribution, do not use it for commercial purposes, and share adaptations under the same license terms. It specifies the license terms are provided under no warranty and refer to the full license terms on the Creative Commons website.

Technology
1 of 3
Download to read offline
v 1.0 Product Pre-Release Security Validation Checklist
CC BY-NC-SA 4.0, 2018 – IoT Security Initiative – www.iotsi.org This license lets others remix, tweak, and build upon this work non-commercially, as long as they credit the IoT Security Initiative and this work and license their new creations under identical terms. YOU ARE FREE TO Share: Copy and redistribute the material in any medium or format. Adapt: Remix, transform, and build upon the material. The licensor cannot revoke these freedoms as long as you follow the license terms. UNDER THE FOLLOWING TERMS Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial: You may not use the material for commercial purposes. ShareAlike: If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. No additional restrictions: You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. NO WARRANTY This material is furnished on an "as-is" basis. No warranties of any kind are made, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material. No warranties of any kind are made with respect to freedom from patent, trademark, or copyright infringement. COMPLETE LICENSE TERMS & CONDITIONS CAN BE FOUND AT https://creativecommons.org/licenses/by-nc-sa/4.0/ 1www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative
Vendor security testing and delivery requirements specified in contracts Vendor secure product development program attestation End-to-end data security reviewed and validated End-to-end data privacy reviewed and validated Software design and architecture security reviewed and validated Network design and architecture security reviewed and validated Product/service security requirements reviewed and/or provided All solution custom code tested for vulnerabilities with static code analysis Solution authentication and session design and technology reviewed and validated Functional user security configuration settings design reviewed and validated Solution password creation, storage, and reset design reviewed and validated API security reviewed and validated Device provisioning design and architecture reviewed and validated User provisioning design and architecture reviewed and validated Software/firmware-update model design and architecture reviewed and validated Device embedded system security controls reviewed and validated Device vulnerability assessment conducted Security patch levels of all third party and open source production software current Product/service security features/functions testing conducted Device final-firmware package scanned for vulnerabilities Back-end network, systems, and operations security controls reviewed and validated Back-end network and system services vulnerability assessment Web services dynamic vulnerability assessment Penetration testing of end-to-end solution Solution cryptographic key stored and managed securely Source code repository security and access management in place All security findings sufficiently remediated and managed Given an end-to-end solution, ensure the following are accounted for prior to Production release or Go-Live. Require below list items based on risk and testing process. Use ongoing for subsequent releases and as changes warrant. COMPLETION STATUSSECURITY ACTIVITY 1 NA Pending Complete 2 NA Pending Complete 3 NA Pending Complete 4 NA Pending Complete 5 NA Pending Complete 6 NA Pending Complete 7 NA Pending Complete 8 NA Pending Complete 9 NA Pending Complete 10 NA Pending Complete 11 NA Pending Complete 12 NA Pending Complete 13 NA Pending Complete 14 NA Pending Complete 15 NA Pending Complete 16 NA Pending Complete 17 NA Pending Complete 18 NA Pending Complete 19 NA Pending Complete 20 NA Pending Complete 21 NA Pending Complete 22 NA Pending Complete 23 NA Pending Complete 24 NA Pending Complete 25 NA Pending Complete 26 NA Pending Complete 27 NA Pending Complete 2www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative

Recommended

ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
ControlCase
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
PECB
 
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist QuestionsISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
himalya sharma
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
Oliver Pfaff
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition Arragements
ISONIKELtd
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
PECB
 

Recommended

ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
ControlCase
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
PECB
 
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist QuestionsISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
himalya sharma
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
Oliver Pfaff
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition Arragements
ISONIKELtd
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
PECB
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NA Putra
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
A first look at Open Liberty
A first look at Open LibertyA first look at Open Liberty
A first look at Open Liberty
Graham Charters
 
Sox compliance
Sox complianceSox compliance
Sox compliance
G Madhusudhan
 
Identity as a Service - Etude IDaaS
Identity as a Service - Etude IDaaSIdentity as a Service - Etude IDaaS
Identity as a Service - Etude IDaaS
Marc Rousselet
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!
PECB
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
Marius FAILLOT DEVARRE
 
ISO 27002-2022.pdf
ISO 27002-2022.pdfISO 27002-2022.pdf
ISO 27002-2022.pdf
ChristianAquino52
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Optimizing Data for EPM
Optimizing Data for EPMOptimizing Data for EPM
Optimizing Data for EPM
Ravi Tirumalai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 

More Related Content

What's hot

How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NA Putra
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
PECB
 
A first look at Open Liberty
A first look at Open LibertyA first look at Open Liberty
A first look at Open Liberty
Graham Charters
 
Sox compliance
Sox complianceSox compliance
Sox compliance
G Madhusudhan
 
Identity as a Service - Etude IDaaS
Identity as a Service - Etude IDaaSIdentity as a Service - Etude IDaaS
Identity as a Service - Etude IDaaS
Marc Rousselet
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!
PECB
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
Marius FAILLOT DEVARRE
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Optimizing Data for EPM
Optimizing Data for EPMOptimizing Data for EPM
Optimizing Data for EPM
Ravi Tirumalai
 

What's hot (20)

How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
A first look at Open Liberty
A first look at Open LibertyA first look at Open Liberty
A first look at Open Liberty
 
Sox compliance
Sox complianceSox compliance
Sox compliance
 
Identity as a Service - Etude IDaaS
Identity as a Service - Etude IDaaSIdentity as a Service - Etude IDaaS
Identity as a Service - Etude IDaaS
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!ISO/IEC 27034 Application Security – How to trust, without paying too much!
ISO/IEC 27034 Application Security – How to trust, without paying too much!
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
ISO 27002-2022.pdf
ISO 27002-2022.pdfISO 27002-2022.pdf
ISO 27002-2022.pdf
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Optimizing Data for EPM
Optimizing Data for EPMOptimizing Data for EPM
Optimizing Data for EPM
 

Similar to Product Pre Release Security Validation Checklist v1.0

Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?
SecPod
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTDeliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Perfecto by Perforce
 
The quality assurance checklist for progressive testing
The quality assurance checklist for progressive testingThe quality assurance checklist for progressive testing
The quality assurance checklist for progressive testing
Maitrikpaida
 
The Quality Assurance Checklist for Progressive Testing
The Quality Assurance Checklist for Progressive TestingThe Quality Assurance Checklist for Progressive Testing
The Quality Assurance Checklist for Progressive Testing
Cygnet Infotech
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
Salesforce Partners
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
CEPTES Software Inc
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
TechWell
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Emerasoft, solutions to collaborate
 

Similar to Product Pre Release Security Validation Checklist v1.0 (20)

Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CTDeliver Flawless Mobile Apps Faster with CI/CD & CT
Deliver Flawless Mobile Apps Faster with CI/CD & CT
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
The quality assurance checklist for progressive testing
The quality assurance checklist for progressive testingThe quality assurance checklist for progressive testing
The quality assurance checklist for progressive testing
 
The Quality Assurance Checklist for Progressive Testing
The Quality Assurance Checklist for Progressive TestingThe Quality Assurance Checklist for Progressive Testing
The Quality Assurance Checklist for Progressive Testing
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)An Insider's Guide to Security Review (October 13, 2014)
An Insider's Guide to Security Review (October 13, 2014)
 
ApExchange Security Review and Compliance
ApExchange Security Review and ComplianceApExchange Security Review and Compliance
ApExchange Security Review and Compliance
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 

Recently uploaded

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 

Recently uploaded (20)

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 

Product Pre Release Security Validation Checklist v1.0

  • 1. v 1.0 Product Pre-Release Security Validation Checklist
  • 2. CC BY-NC-SA 4.0, 2018 – IoT Security Initiative – www.iotsi.org This license lets others remix, tweak, and build upon this work non-commercially, as long as they credit the IoT Security Initiative and this work and license their new creations under identical terms. YOU ARE FREE TO Share: Copy and redistribute the material in any medium or format. Adapt: Remix, transform, and build upon the material. The licensor cannot revoke these freedoms as long as you follow the license terms. UNDER THE FOLLOWING TERMS Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial: You may not use the material for commercial purposes. ShareAlike: If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. No additional restrictions: You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. NO WARRANTY This material is furnished on an "as-is" basis. No warranties of any kind are made, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material. No warranties of any kind are made with respect to freedom from patent, trademark, or copyright infringement. COMPLETE LICENSE TERMS & CONDITIONS CAN BE FOUND AT https://creativecommons.org/licenses/by-nc-sa/4.0/ 1www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative
  • 3. Vendor security testing and delivery requirements specified in contracts Vendor secure product development program attestation End-to-end data security reviewed and validated End-to-end data privacy reviewed and validated Software design and architecture security reviewed and validated Network design and architecture security reviewed and validated Product/service security requirements reviewed and/or provided All solution custom code tested for vulnerabilities with static code analysis Solution authentication and session design and technology reviewed and validated Functional user security configuration settings design reviewed and validated Solution password creation, storage, and reset design reviewed and validated API security reviewed and validated Device provisioning design and architecture reviewed and validated User provisioning design and architecture reviewed and validated Software/firmware-update model design and architecture reviewed and validated Device embedded system security controls reviewed and validated Device vulnerability assessment conducted Security patch levels of all third party and open source production software current Product/service security features/functions testing conducted Device final-firmware package scanned for vulnerabilities Back-end network, systems, and operations security controls reviewed and validated Back-end network and system services vulnerability assessment Web services dynamic vulnerability assessment Penetration testing of end-to-end solution Solution cryptographic key stored and managed securely Source code repository security and access management in place All security findings sufficiently remediated and managed Given an end-to-end solution, ensure the following are accounted for prior to Production release or Go-Live. Require below list items based on risk and testing process. Use ongoing for subsequent releases and as changes warrant. COMPLETION STATUSSECURITY ACTIVITY 1 NA Pending Complete 2 NA Pending Complete 3 NA Pending Complete 4 NA Pending Complete 5 NA Pending Complete 6 NA Pending Complete 7 NA Pending Complete 8 NA Pending Complete 9 NA Pending Complete 10 NA Pending Complete 11 NA Pending Complete 12 NA Pending Complete 13 NA Pending Complete 14 NA Pending Complete 15 NA Pending Complete 16 NA Pending Complete 17 NA Pending Complete 18 NA Pending Complete 19 NA Pending Complete 20 NA Pending Complete 21 NA Pending Complete 22 NA Pending Complete 23 NA Pending Complete 24 NA Pending Complete 25 NA Pending Complete 26 NA Pending Complete 27 NA Pending Complete 2www.iotsi.orgCC BY-NC-SA 4.0, 2018 - IoT Security Initiative