Codenomicon, the Finland-based security firm that claimed discovery (along with Google’s Neel Mehta) and branded the Heartbleed bug, has launched a new verification program designed to help critical systems manufacturers test the security and robustness of their products.
Dubbed CodeVerify by the company, the program provides security and robustness testing metrics for critical systems, including medical devices, industrial control systems (ICS), networking equipment, software applications, and even for the automotive industry. The program aims to help organizations improve product security as a part of their development process, Codenomicon said.
"These are industries that are rapidly embracing connectivity after a long history of isolation, amplifying the need to a heightened standard of security," commented Mike Ahmadi, Global Director of Critical Systems Security at Codenomicon. "In an answer to this shift, we have noticed a keen interest for our testing, intelligence and security products across these critical industries that power the connected world. The CodeVerify program is designed to make this transition far more smooth and secure."
The verification process has four phases, three of which involve internal work using automated testing tools that allow manufacturers to improve the development process without straining their resources. In the first phase, the product is scanned for third-party and open source components that could pose a security risk. Then, interfaces that are exposed to attacks are identified through a network scan.
In the third phase, protocol implementations are tested using Codenomicon's Defensics security testing platform which, according to the company, is already successfully leveraged by organizations such as Verizon and the United States Food and Drug Administration (FDA). These verifications are repeated until no weaknesses are found, Codenomicon said.
In the final phase of the verification process, the test results are sent to Codenomicon, whose experts conduct an external review of the product. Once testing is complete, solutions that pass the test are given the CodeVerified status.
"As the Internet of Things continues to progress, a higher level of visibility is required to ensure true safety and security. While our customers have found our tools to be invaluable in helping them build more secure and robust devices, they are looking for a best-of-breed standard to set as a baseline goal for security," explained Codenomicon CEO David Chartier.
"CodeVerify caters to the demands of these leading companies who have been asking for a benchmarking standard so that as they continue with their testing and analysis, they can easily compare their products against the most mature, secure and robust standards. Using Codenomicon tools allows them to test and gain visibility at the highest levels. CodeVerified confirms this status to the industry at large."