3

Actions described in security standards (like ISO 27002, PCI-DSS, HIPAA, Common Criteria) greatly vary according to the domain data that they store, process, transmit and report.

We have a product which collects metrics from a network/wifi enabled luminaries (lighting device) and make analytics data for trend analysis or energy efficiency calculations. What is the minimal security standard that the product needs to meet? It has a device discovery module, data aggregation and a reporting web-app hosted in the cloud and the data moves from enterprise to cloud platform.

I am thinking of at least OWASP 10 but then its not standard rather guidelines of security controls for web-application.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
user134083
  • 33
  • 2
  • What do you mean with "needs to meet"? That you are legally required to follow? That you should follow to be "good" (whatever that means)? – Anders Dec 21 '16 at 14:24
  • The standards you mention are mainly controls, they dictate a set of standards that must be put around data in order to protect it. What technology are you using? i.e what language is it written in, what protocols does it use etc. etc. Find them out and then look at the best practices on how to implement them for your particular use case – TheJulyPlot Dec 21 '16 at 14:28

1 Answers1

1

What is the minimal security standard that the product needs to meet?

This largely depends on procurement requirements you are trying to meet. For US federal government the bare minimum to get on the list is FIPS 140-2 certification of your cryptographic module. For DoD there is JITC certification. For NSA and such you have NIAP and Common Criteria. However, I don't think you are trying to do any of this.

Instead, I think you are trying to establish a benchmark for a bare minimum effort to secure your product. To do this, I suggest you should regularly patch every third-party library you use (e.g. OpenSSL), then run a vulnerability scanner, like Nessus, and follow up with a static code analysis tool, like Coverity, applicable to your language. This approach will get you to 'minimal security' if you integrate it into your QA process.

Kirill Sinitski
  • 989
  • 6
  • 12