You know it's a good thing when you see UL on a wall wart, but does it matter on your next firewall? Here's what we know about UL's new Cybersecurity Assurance Program.
Underwriters Laboratories, known for its UL logo that appears on consumer electronics, is expanding its IT services to include security certifying for networking and telecommunication gear.
The idea didn't come from thin air. For the past decade, UL quietly offered security evaluation services to industries such as banking, with about 500 employees who provide everything from risk analysis to penetration testing, explained Ken Modeste, leader for cybersecurity technical services.
"What we're doing now is expanding that presence to several other verticals," such as healthcare and industrial controls, Modeste said.
Modeste explained how the certification process will work. Security vendors that seek certification will have to send their products to UL testers, which costs anywhere from $50,000-$150,000. If a certification is granted, then it is valid for 12 months. However, the process doesn't end there.
"Penetrating testing is a big part of it," Modeste said. "The vendor has to have a process to patch their product... we actually have a requirement that in the event of finding a vulnerability they have to contact us immediately," he said. If flaws are patched expeditiously, then UL will revoke the certification, he added.
Sean Martin, a consultant with IT security expertise, said he's skeptical that enterprise purchasers will be interested in whether a product has UL certification.
"Generally, I don't think people care, the same way they don't go buy a light at Home Depot and check to make sure the label on there says UL listed," he said, in Los Angeles. Government standards such as the Evaluation Assurance Level are already established and widely respected, he added.
Modeste acknowledged that it could be challenging for IT vendors to explain the certification's value to their own customers. "It's a tough thing to start off. We also expect that our adoption will take some time," he noted.
UL is planning to talk more about the new service, which it's calling Cybersecurity Assurance Program, on April 26, 2016 in an online presentation.
- Don't let a penetration test land you in legal hot water (TechRepublic)
- Determining whether penetration testing is effective (TechRepublic)
- The five phases of a successful network penetration (TechRepublic)
- IT security spending: It's time to rethink our priorities (TechRepublic)
- Security and privacy: New challenges (ZDNet/TechRepublic special feature)