Product Cybersecurity Posture Assessment Framework
88%
Questions marked with a
*
are required
Please select your Industry Vertical
-- Select --
Transportation
Industrial Products
Hitech & Telecommunication
FMCG / Chemicals
Healthcare
Oil & Gas
Other
Capability for Handling Security Breaches
Very Poor
Very Good
1
2
3
4
5
How would you rate the organization's processes and structures for vulnerability remediation in the product post release phase?
1
Very Poor
2
3
4
5
Very Good
How would you rate the remote software update capability for the organization's products?
1
Very Poor
2
3
4
5
Very Good
Data Privacy and Security
Very Poor
Very Good
1
2
3
4
5
How well is the personal information regarding user identified by the organization's product, and secured in transit and at rest?
1
Very Poor
2
3
4
5
Very Good
Development Process (Policies, Standards, Procedures)
Very Poor
Very Good
1
2
3
4
5
Are all functionalities that are used only for development securely disabled or removed from the production software images?
1
Very Poor
2
3
4
5
Very Good
Are all cipher suites listed and validated against the current security recommendations (such as NIST 800-131A or OWASP), where cryptographic suites are used such as TLS? For instance, using ephemeral key generation and authenticating and encrypting ciphers such as AES-GCM. This also includes that where insecure ciphers suites are identified, they are removed from the product.
1
Very Poor
2
3
4
5
Very Good
Does the product’s software source code follow the basic good practice of a Language subset (e.g., MISRA-C) coding standard?
1
Very Poor
2
3
4
5
Very Good
Are all OS command line access to the most privileged accounts removed from the operating system?
1
Very Poor
2
3
4
5
Very Good
Firmware Security
Very Poor
Very Good
1
2
3
4
5
Does the product have protection features against reverting the software to an earlier and potentially less secure version?
1
Very Poor
2
3
4
5
Very Good
Is the product is supported by public key infrastructure in the back-end to provide signed firmware for flashing, updates, issuing or validating device identity etc.?
1
Very Poor
2
3
4
5
Very Good
Are the sensitive software components such as cryptographic processes isolated, or are of a higher privilege, than other software components?
1
Very Poor
2
3
4
5
Very Good
Does the product have a secure boot process?
1
Very Poor
2
3
4
5
Very Good
Hardware Security
Very Poor
Very Good
1
2
3
4
5
Are all unused communications port(s), such as USB, RS232, etc., which are not used as part of the product’s normal operation, physically inaccessible (or secured) on the production devices?
1
Very Poor
2
3
4
5
Very Good
Does the product support access control measures to the root account for restricting access to sensitive information or system processes?
1
Very Poor
2
3
4
5
Very Good
Identity, Access Management, and Authentication
Very Poor
Very Good
1
2
3
4
5
Does the product have a feature for secure onboarding through process, like out of band pairing?
1
Very Poor
2
3
4
5
Very Good
Can the product prevent against brute force attempts by restricting maximum number of attempts and increasing delay time with each attempt?
1
Very Poor
2
3
4
5
Very Good
Are communication protocols like TCP, MQTT, CoAP or UDP etc. running over TLS or DTLS, respectively?
1
Very Poor
2
3
4
5
Very Good
Secure Communication
Very Poor
Very Good
1
2
3
4
5
Does the product have an intrusion protection or detection process in place for monitoring, analyzing and validating traffic to the device?
1
Very Poor
2
3
4
5
Very Good
Are the communication protocols like TCP, MQTT, CoAP or UDP, etc. running over TLS or DTLS respectively?
1
Very Poor
2
3
4
5
Very Good
Does the product prevent unauthorized connections to it or other devices that the product is connected to, at all levels of the relevant protocols?
1
Very Poor
2
3
4
5
Very Good
Next
Powered by
QuestionPro
Loading...
close
drag_indicator
close
Yes
Cancel
Continue
Answer Question
Continue Without Answering
Keep Data
Discard
close