Analytics
2/5/2014
12:34 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Keeping Corrupted Tech Out Of The Global Supply Chain

Open Group launches Open Trusted Technology Provider Standard (O-TTPS) Accreditation Program

SAN FRANCISCO--(BUSINESS WIRE)--The Open Group today announces the launch of the Open Trusted Technology Provider&trade Standard (O-TTPS) Accreditation Program, one of the first accreditation programs aimed at assuring the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products worldwide and safeguarding the global supply chain against the increasing sophistication of Cybersecurity attacks.

Intended to assure integrity in technology development and to prevent maliciously tainted and counterfeit products from entering the supply chain, the accreditation program will ensure applicants conform to the O-TTPS standard.

Companies seeking O-TTPS Accreditation - which could be component suppliers, technology providers or integrators - can choose to be accredited for conforming to the O-TTPS standard and adhering to the best practice requirements across the entire enterprise, within a specific product line or business unit or within one or more individual products.

Organizations applying to become O-TTPS accredited are then required to provide evidence of conformance to each of the O-TTPS requirements, demonstrating they have the processes in place to secure their in-house development and their supply chains across the entire COTS ICT product lifecycle, including the design, sourcing, build, fulfilment, distribution, sustainment, and disposal phases.

O-TTPS accredited organizations will then be able to identify themselves as Open Trusted Technology Providers&trade and will become part of a public registry of trusted providers who help ensure they "Build with Integrity" so their customers can "Buy with Confidence".

The Open Group is also announcing the O-TTPS Recognized Assessor Program, which assures that Recognized Assessor (companies) meet certain criteria as a third party assessor organization and that their assessors (individuals) meet an additional set of criteria and have passed the O-TTPS Assessor exam, before they can be assigned to an O-TTPS Assessment. The Open Group will operate this program, grant O-TTPS Recognized Assessor certificates and list those qualifying organizations on a public registry.

Organizations can download the O-TTPS v1.0 and the O-TTPS Accreditation Policy from the Trusted Technology Section in The Open Group Bookstore.

To learn more about becoming an accredited Open Trusted Technology Provider&trade or an O-TTPS Recognized third-party assessor visit: http://www.opengroup.org/accreditation/o-ttps.

Quotes

Edna Conway, Chief Security Officer, Global Supply Chain, Cisco Systems and Vice-Chair of The Open Group Trusted Technology Forum, said: "The robust and cross-industry method through which the O-TTPS Accreditation Policy was developed has delivered a transparent, credible process with integrity."

Andras Szakal, Vice President, Chief Technology Officer, IBM U.S. Federal IMT: said: "Secure by Design is a key tenant of the IBM secure engineering process. The Open Trusted Technology Provider&trade Standard and Accreditation Program will help guide and recognize trusted technology vendors like IBM that value Secure by Design best practices. IBM is a proud founding member of the OTTF and has successfully piloted the accreditation program. In January 2014, IBM obtained O-TTPS accreditation for the Application Infrastructure and Middleware (AIM) Software Business Division, which includes the flagship WebSphere product line."

Sally Long, Director, The Open Group Trusted Technology Forum, said: "Being able to identify accredited organizations not only benefits commercial customers and governments, it also benefits COTS ICT providers, who can identify and choose to work with accredited component suppliers – thus enabling a holistic approach that is essential to raising the bar for all constituents in the supply chain."

Notes to editors

Tainted and counterfeit products pose significant risk to organizations because altered or non-genuine products introduce the possibility of untracked malicious behavior or poor performance. Both product risks can damage customers and suppliers resulting in failed or inferior products, revenue and brand equity loss, disclosure of intellectual property, and damage to critical infrastructure. The increase in sophistication of cyber-attacks has forced technology suppliers and governments to take a more comprehensive approach to risk management as it applies to product integrity and supply chain security. Customers are now seeking assurances that their providers are following standards to mitigate the risks of tainted and counterfeit components, while providers of COTS ICT are focusing on protecting the integrity of their products and services as they move through the global supply chain.

Resources

· For more information on The Open Group Trusted Technology Forum click here.

· To view a video featuring OTTF Vice-Chair and Cisco's Chief Security Officer, Global Supply Chain, Edna Conway discussing the work of the OTTF, please click here.

About The Open Group Trusted Technology Forum (OTTF)

The Open Group Trusted Technology Forum (OTTF) leads the development of a global supply chain security program in order to provide buyers of IT products with a choice of accredited technology partners (component suppliers, providers and integrators). The Open Trusted Technology Provider&trade Standard (O-TTPS) identifies best practices for technology integrity and supply chain security. The O-TTPS Accreditation Program assures conformance to the standard, distinguishing Open Trusted Technology Providers&trade, and fostering a secure and sustainable global supply chain.

The OTTF provides a vendor-neutral environment where security, supply chain, and acquisition professionals can lead the development of industry best practices and accreditation programs, utilize The Open Group's broad reach to build global recognition for them, and network with a world-class community of experts and peers to grow professionally. We welcome the participation of all who want to influence the direction of the OTTF.

About The Open Group

The Open Group is an international vendor- and technology-neutral consortium upon which organizations rely to lead the development of IT standards and certifications, and to provide them with access to key industry peers, suppliers and best practices. The Open Group provides guidance and an open environment in order to ensure interoperability and vendor neutrality. Further information on The Open Group can be found at http://opengroup.org.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.