Analytics
2/5/2014
12:34 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Keeping Corrupted Tech Out Of The Global Supply Chain

Open Group launches Open Trusted Technology Provider Standard (O-TTPS) Accreditation Program

SAN FRANCISCO--(BUSINESS WIRE)--The Open Group today announces the launch of the Open Trusted Technology Provider&trade Standard (O-TTPS) Accreditation Program, one of the first accreditation programs aimed at assuring the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products worldwide and safeguarding the global supply chain against the increasing sophistication of Cybersecurity attacks.

Intended to assure integrity in technology development and to prevent maliciously tainted and counterfeit products from entering the supply chain, the accreditation program will ensure applicants conform to the O-TTPS standard.

Companies seeking O-TTPS Accreditation - which could be component suppliers, technology providers or integrators - can choose to be accredited for conforming to the O-TTPS standard and adhering to the best practice requirements across the entire enterprise, within a specific product line or business unit or within one or more individual products.

Organizations applying to become O-TTPS accredited are then required to provide evidence of conformance to each of the O-TTPS requirements, demonstrating they have the processes in place to secure their in-house development and their supply chains across the entire COTS ICT product lifecycle, including the design, sourcing, build, fulfilment, distribution, sustainment, and disposal phases.

O-TTPS accredited organizations will then be able to identify themselves as Open Trusted Technology Providers&trade and will become part of a public registry of trusted providers who help ensure they "Build with Integrity" so their customers can "Buy with Confidence".

The Open Group is also announcing the O-TTPS Recognized Assessor Program, which assures that Recognized Assessor (companies) meet certain criteria as a third party assessor organization and that their assessors (individuals) meet an additional set of criteria and have passed the O-TTPS Assessor exam, before they can be assigned to an O-TTPS Assessment. The Open Group will operate this program, grant O-TTPS Recognized Assessor certificates and list those qualifying organizations on a public registry.

Organizations can download the O-TTPS v1.0 and the O-TTPS Accreditation Policy from the Trusted Technology Section in The Open Group Bookstore.

To learn more about becoming an accredited Open Trusted Technology Provider&trade or an O-TTPS Recognized third-party assessor visit: http://www.opengroup.org/accreditation/o-ttps.

Quotes

Edna Conway, Chief Security Officer, Global Supply Chain, Cisco Systems and Vice-Chair of The Open Group Trusted Technology Forum, said: "The robust and cross-industry method through which the O-TTPS Accreditation Policy was developed has delivered a transparent, credible process with integrity."

Andras Szakal, Vice President, Chief Technology Officer, IBM U.S. Federal IMT: said: "Secure by Design is a key tenant of the IBM secure engineering process. The Open Trusted Technology Provider&trade Standard and Accreditation Program will help guide and recognize trusted technology vendors like IBM that value Secure by Design best practices. IBM is a proud founding member of the OTTF and has successfully piloted the accreditation program. In January 2014, IBM obtained O-TTPS accreditation for the Application Infrastructure and Middleware (AIM) Software Business Division, which includes the flagship WebSphere product line."

Sally Long, Director, The Open Group Trusted Technology Forum, said: "Being able to identify accredited organizations not only benefits commercial customers and governments, it also benefits COTS ICT providers, who can identify and choose to work with accredited component suppliers – thus enabling a holistic approach that is essential to raising the bar for all constituents in the supply chain."

Notes to editors

Tainted and counterfeit products pose significant risk to organizations because altered or non-genuine products introduce the possibility of untracked malicious behavior or poor performance. Both product risks can damage customers and suppliers resulting in failed or inferior products, revenue and brand equity loss, disclosure of intellectual property, and damage to critical infrastructure. The increase in sophistication of cyber-attacks has forced technology suppliers and governments to take a more comprehensive approach to risk management as it applies to product integrity and supply chain security. Customers are now seeking assurances that their providers are following standards to mitigate the risks of tainted and counterfeit components, while providers of COTS ICT are focusing on protecting the integrity of their products and services as they move through the global supply chain.

Resources

· For more information on The Open Group Trusted Technology Forum click here.

· To view a video featuring OTTF Vice-Chair and Cisco's Chief Security Officer, Global Supply Chain, Edna Conway discussing the work of the OTTF, please click here.

About The Open Group Trusted Technology Forum (OTTF)

The Open Group Trusted Technology Forum (OTTF) leads the development of a global supply chain security program in order to provide buyers of IT products with a choice of accredited technology partners (component suppliers, providers and integrators). The Open Trusted Technology Provider&trade Standard (O-TTPS) identifies best practices for technology integrity and supply chain security. The O-TTPS Accreditation Program assures conformance to the standard, distinguishing Open Trusted Technology Providers&trade, and fostering a secure and sustainable global supply chain.

The OTTF provides a vendor-neutral environment where security, supply chain, and acquisition professionals can lead the development of industry best practices and accreditation programs, utilize The Open Group's broad reach to build global recognition for them, and network with a world-class community of experts and peers to grow professionally. We welcome the participation of all who want to influence the direction of the OTTF.

About The Open Group

The Open Group is an international vendor- and technology-neutral consortium upon which organizations rely to lead the development of IT standards and certifications, and to provide them with access to key industry peers, suppliers and best practices. The Open Group provides guidance and an open environment in order to ensure interoperability and vendor neutrality. Further information on The Open Group can be found at http://opengroup.org.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.