What is a secure development lifecycle (SDL)?
A secure development lifecycle is a process by which security best practices are standardized for devices. This is achieved by capturing industry-standard security activities and packaging them so that they can be securely implemented. As product development must follow a secure development lifecycle, development teams have the option of building their own standardized processes or following pre-defined examples from companies such as Cisco and Microsoft.
Security evaluation comes from an expert assessment of the product, its lifecycle and/or secure development process. This process must be carried out by a security laboratory and is based on industry standards and evaluation methodologies. The involvement of external parties during evaluation often adds significant knowledge and value to the process as internal teams often only have experience with a limited set of products.
To attain certification and provide assurance that a device or application meets industry-defined security benchmarks, a solution must be evaluated by an accredited laboratory against a set of formalized requirements and standards. For example, EMVCo certifies and evaluates products and services in line with the needs of the payments ecosystem and GlobalPlatform provides certification for secure platforms upon which solutions can be manufactured, like secure elements (SEs) and trusted execution environments (TEEs).
The certification body then provides written confirmation that a solution has passed all testing which can then be used by companies in the launch and marketing of their products. For some markets, like payments, certification is a requirement for market access.
Do I need to certify my device and applications?
Failed product launches are one thing, but data breaches are even more damaging to both brand equity and finances. Devices from in-car electronics to wearables now store more sensitive and personal data than ever, emphasizing the need for standardized security throughout device and application ecosystems.
Why are secure development lifecycles important to my business?
Ensuring that devices and applications are developed in line with a secure development lifecycle ensures that best practices are standardized. Without an SDL, products are more prone to being shipped with vulnerabilities, security mistakes can be repeated and identified too late and end-users have no active assurances that their device, and the data stored on it, is safe.
Certifications open doors to both geographical and vertical markets. For example, FIPS is a requirement for the U.S. marketplace and EMVCo is essential for payments.
|✔||Security liability / risk management
In vertical markets, like payments and content protection, certain parties are responsible for risk management and are liable in the event of an attack or a breach.
Security is often a differentiator for manufacturers and developers when selling products. Even where there are no defined specifications, tailored evaluation can be a way to prove worth to potential customers.
A successful cyber-attack can cause major damage to your business. It can affect your revenues, as well as your business’ standing and consumer trust.
|✔||Build additional services
Service providers can use certified and trusted platforms as a foundation on which to build new value-added services because of higher trust.
Eliminating risk and vulnerabilities: Certification ensures best-practice security and tangible operational benefits
Secure solutions are not designed and developed by accident. Trust is the result of careful planning and expertise. It is important to approach this not as a technical challenge, but as a process that is fundamental to the quality of your technology and the management of risk for both you and your end-users. All too often though, people forget that the right security can also be an enabler of both innovation and commercial value.
This is where certified trusted execution environment (TEE) technology is coming to the fore to support OEMs in securing devices and developers in bringing trust to their applications. Over the last five years, TEEs have become the de-facto hardware-backed security technology for smartphones, tablets, wearables and in-vehicle systems; protecting biometric authentication, user interfaces, premium content, cryptographic keys and related operations. The security platform has achieved this success because it can offer a hardware root-of-trust or security anchor within a device, while at the same time being more efficient than dedicated secure elements (SE’s) due to the extensive resource sharing with the device systems.
This makes it a perfect technology to protect use cases including mobile payments, banking & acceptance, digital car key apps, in-vehicle infotainment (IVI) systems and mobile device protection for telcos.
As the world becomes more mobile-first, the spotlight will only brighten on security features. Being able to demonstrate a secure development lifecycle through certification is both a requirement and a strategic advantage for developers and manufacturers.
In collaboration with global security lab Riscure, Trustonic has published the first in a series of papers on the role and value of security testing, evaluation and certification in the design, development and launch of secure products and services.
For information on Trustonic’s hardware-backed device protection solutions visit our device security page. For advanced in-app protection, visit our application protection page and for information on our cybersecurity standards and certifications click here. Or email us at [email protected].
For information about Riscure’s testing, evaluation and certifications services, email [email protected].