topic Re: Equipment reviews for security worthiness in Tech Talk

Equipment reviews for security worthiness

ericgeater — Wed, 24 Apr 2024 15:51:39 GMT

What resources do you use to research device trustworthiness / reputation?

I'm trying to research a network switch vendor, whose equipment is well-appreciated by tech enthusiasts. But I don't want to bring something on-network that we don't explicitly trust.

In brief, the manufacturer does not have a profile with CISecurity or Common Criteria. If you have other resources for reviewing the security worthiness of such vendors, I'd love to hear them!

If you have a hardware vendor list that's nothing but devices with terrible reputations, that would be cool, too! Government restricted or prohibited would be nice, because I know they're wary of many tech providers.

The goal is to determine the vendor's country of origin (both design AND manufacture), the vendor's history of fixing bugs, likelihood of the device "phoning home" after install, etc.

Thanks, everyone!

Re: Equipment reviews for security worthiness

Caute_cautim — Thu, 25 Apr 2024 06:19:59 GMT

@ericgeater Is it open source? If, so check Open Source distribution lists.

You can also check out evaluation web sites such as gartner etc?

Good old Google searches normally turn up something about a vendor or software supplier good or bad including evaluations.

But if you are connected to an international organisation or government department - make sure you go seek advice from the Procurement Unit, and let them do the research for you, plus ensure you have registered your interest, and ensures you don't have a procurement bypass against your name too.

Regards

Caute_Cautim

Re: Equipment reviews for security worthiness

JoePete — Thu, 25 Apr 2024 12:35:42 GMT

@ericgeater wrote:
What resources do you use to research device trustworthiness / reputation?

Really good question. I've used Common Criteria, which was a great sounding idea, but had/has certain logistical hurdles. The other place I always look is the CVE.

Consistent firmware updates I take as a good sign. When I worked in higher ed, we always did an accessibility check (i.e., Section 508 compliance) on any interface. Part of this was to anticipate potential end-user issues, but one thing I have found is that manufacturers who pay attention to things like accessibility, valid HTML, etc., tend to pay attention in more critical but less visible areas too.

This is a good question, but the bigger challenge I always saw wasn't in developing the criteria for an evaluation. It was making sure such an evaluation was part of the purchasing process.

Re: Equipment reviews for security worthiness

ericgeater — Thu, 25 Apr 2024 15:22:20 GMT

Good responses. @Caute_cautim, I can't say whether the underlying tech in the device has open source components (it took me a moment to remember that pfSense does, as an example!), but that's a very good reminder. And most of my googling yesterday was for evaluations, because the vendor in question does not seem to have a profile at the eval sites I'm most familiar with. That's why this thread is here, actually!

Also, when you say "Procurement Unit", is this an entity? Or are you talking about any org's own internal procurement and test facility? If it's the latter, my next thread will be, "What are your some of your preferred testing tools?" 😁😁😁

@JoePete, now I know what Section 508 is! And yes, hardware in constant states of improvement (both for features and fixes) are definitely a net positive. The vendor in question seems to fix everything which was reported, at least.

I've now created a Gartner Peer Insights profile (and unsubscribed from their spam list already). Also, I stumbled across the National Information Assurance Partnership website, which looks similar to the Common Criteria website in its layout. I'll be curious to hear what y'all think about it.

Re: Equipment reviews for security worthiness

Caute_cautim — Fri, 26 Apr 2024 04:53:02 GMT

@ericgeater Procurement unit, what I mean is a dedicated department within your organisation responsible for purchasing hardware, software and services. If you have such a unit within your organisation, as my own organisation does, we have to go through a risk management process, identifying why, what, when, where and how questions - stating what the software is for example. They then do due diligence on the request and hunt vendors, distributors etc. If the item is new, they will ask further questions, and and examine the need and urgency for the request. They go through licensing, including any Open Source licensing requests, plus formal security testing and vulnerability testing for the software etc.

We have a security and privacy by design principle in place, which forces rigor and examination before any Open Source software can be used - a lot of emphasis on licensing types etc

Regards

Caute_Cautim