Experience
Test DVID yourself
Training overview
Programs
Matrix
Login
Cloud
21 requirements
Account Management
11 requirements
In production, all credentials need to be unique and nominative
DVID-CLO-2
A password policy needs to be implemented according to security score
DVID-CLO-3
The default password needs to be unique and created during manufacturing process
DVID-CLO-4
The account creation process needs to be based on recovery password functionality
DVID-CLO-5
All credentials needs to be stored encrypted using at least BCRYPT algorithm
DVID-CLO-6
All applicative data needs to be stored encrypted using vault functionality
DVID-CLO-7
When created, a user needs to have lowest privileges
DVID-CLO-8
A privilege matrix needs to be implemented
DVID-CLO-9
Authentication process needs to block bruteforce attacks
DVID-CLO-10
Two factor authentication is implemented on the device.
DVID-CLO-11
Two factor authentication accepts qualified solution
DVID-CLO-12
Denial of Service
1 requirements
All exposed services must be protected against denial of service attacks
DVID-CLO-15
Documentation
1 requirements
All components (type / version / manufacturer) needs to be stored in a CMDB
DVID-CLO-18
Encryption
2 requirements
Exchange encryption needs to prevent eavesdropping and tampering
DVID-CLO-13
Weak encryption algorithm need to be desactivated
DVID-CLO-14
Management
1 requirements
Keys used for signing component needs to be stored in safe area
DVID-CLO-19
Reducing attack surface
2 requirements
Third party code needs to be security evaluated before integration
DVID-CLO-20
Hardening guide needs to be documented
DVID-CLO-21
Resilience
2 requirements
When network connection is done, reconnection needs to implement prevention against massive scale reconnect to cloud servers
DVID-CLO-16
All data input needs to be sanitized
DVID-CLO-17
Username Enumeration
1 requirements
The authentication mechanism needs to not leak any existence of valid or invalid accounts
DVID-CLO-1
Device
59 requirements
Account Management
16 requirements
In production, all credentials need to be unique and nominative
DVID-DEV-2
In production, debug interface needs be deactivated or restricted.
DVID-DEV-3
In production, administrative interface needs to be protected from opportunistic access
DVID-DEV-4
A password policy needs to be implemented regarding security level of the device.
DVID-DEV-5
All credentials needs to be enforced by the current password policy
DVID-DEV-6
The default password needs to be unique and created during manufacturing process
DVID-DEV-7
The default password needs to be changed during the installation process
DVID-DEV-8
Password reset functionality needs to be restricted to factory reset process only
DVID-DEV-9
All credentials information needs to be stored securely
DVID-DEV-10
Trust module needs to be used by default to store credentials
DVID-DEV-11
Authentication process needs to block bruteforce attacks
DVID-DEV-14
Blocking attacks needs to not occurs denial of service situation.
DVID-DEV-15
Two factor authentication is implemented on the device.
DVID-DEV-16
Two factor authentication accepts qualified solution
DVID-DEV-17
An authentication needs to be implemented between the device and its gateway
DVID-DEV-18
An authentication needs to be implemented between the device and the cloud
DVID-DEV-19
Console access
1 requirements
In production, serial interface like UART needs to be deactivated
DVID-DEV-41
Denial of Service
1 requirements
A solution needs to catch denial of service situation.
DVID-DEV-29
Documentation
3 requirements
All hardcoded information needs to be documented
DVID-DEV-12
Hardcoded credentials needs to be removed in development, preproduction and production environment
DVID-DEV-13
All components (type / version / manufacturer) needs to be stored in a CMDB
DVID-DEV-58
Encryption
9 requirements
All network exchanges needs to implement encryption
DVID-DEV-20
Exchange encryption needs to prevent eavesdropping and tampering
DVID-DEV-21
Exchange encryption needs to valid authenticity of each parts before starting data sending.
DVID-DEV-22
Weak encryption algorithm need to be deactivated
DVID-DEV-23
The device needs to implement secure element on the PCB
DVID-DEV-24
The secure element needs to be used to store encryption key
DVID-DEV-25
Confidential and sensitive information needs to be stored encrypted on the non volatile memory
DVID-DEV-26
Confidential and sensitive information needs to be stored encrypted on the volatile memory
DVID-DEV-27
Encryption keys are never shared between devices
DVID-DEV-28
Execution Flow
3 requirements
In production, the execution flow needs to be protected against debugging
DVID-DEV-38
Jtag access needs to be deactivated in production
DVID-DEV-39
All core chips needs to be protected against side channel attacks
DVID-DEV-40
Firmware and storage extraction
1 requirements
The storage media needs to be protected against physical removing
DVID-DEV-37
Reducing attack surface
6 requirements
All unused port needs to be deactivated
DVID-DEV-42
In production release of software, only necessary software are implemented
DVID-DEV-43
In production, code cleaning process needs to be run before release binary
DVID-DEV-44
The code needs to be run with as less privileged as possible
DVID-DEV-45
Third party code needs to be security evaluated before integration
DVID-DEV-59
Hardening guide needs to be documented
DVID-DEV-60
Resilience
4 requirements
When power outage is detected, the device needs to migrate to a safe state
DVID-DEV-54
When network outage is detected, the device needs to migrate to a safe state
DVID-DEV-55
When network connection is done, reconnection needs to implement prevention against massive scale reconnect to cloud servers
DVID-DEV-56
All data input needs to be sanitized
DVID-DEV-57
Software integrity
7 requirements
A secure boot needs to be implemented
DVID-DEV-46
A secure boot needs to implement hardware root of trust
DVID-DEV-47
The software needs to detect any tampering
DVID-DEV-48
When detecting tampering, the software needs to send alert
DVID-DEV-49
When detecting tampering, the alert needs to be send over side channel
DVID-DEV-50
When detecting tampering, detection needs to log event in a write-only memory
DVID-DEV-51
When detecting tampering, the system needs to freeze or return in safe state
DVID-DEV-52
Update Management
7 requirements
Update process needs to be implemented
DVID-DEV-30
Update process needs to check integrity before deployment
DVID-DEV-31
Update binaries needs to be transferred over secure channel.
DVID-DEV-32
Update binary needs to be stored in safe location
DVID-DEV-33
Firmware needs to be digitally signed
DVID-DEV-34
All software implemented in the device needs to be at the last version available on the manufacturer website
DVID-DEV-35
All update needs to include software update to the last version available on the manufacturer website
DVID-DEV-36
Usability
1 requirements
Maintenance process needs to be easy and security proof
DVID-DEV-53
Gateway
30 requirements
Account Management
9 requirements
In production, all credentials need to be unique and nominative
DVID-GAT-3
A password policy needs to be implemented according to security score
DVID-GAT-4
The default password needs to be unique and created during manufacturing process
DVID-GAT-5
Credentials needs to be protected in hardware security module
DVID-GAT-6
Hardcoded credentials needs to be removed in development, preproduction and production environment
DVID-GAT-7
Authentication process needs to block bruteforce attacks
DVID-GAT-8
Blocking attacks needs to not occurs denial of service situation.
DVID-GAT-9
Two factor authentication is implemented on the device.
DVID-GAT-10
Two factor authentication accepts qualified solution
DVID-GAT-11
App Code
4 requirements
In production, the compiled code needs to be obfuscated
DVID-GAT-24
The authentication mechanism needs to valid, on server side, the authenticity of the request
DVID-GAT-25
The authentication mechanism needs to perform validation in secure way
DVID-GAT-26
All data incoming from user land needs to be sanitized before processed
DVID-GAT-27
Denial of Service
1 requirements
The application needs to implement denial of service protection
DVID-GAT-16
Documentation
1 requirements
All components (type / version / manufacturer) needs to be stored in a CMDB
DVID-GAT-28
Encryption
4 requirements
Exchange encryption needs to prevent eavesdropping and tampering
DVID-GAT-12
Weak encryption algorithm need to be desactivated
DVID-GAT-13
Confidential and sensitive information needs to be stored encrypted on the volatile memory
DVID-GAT-14
When a secret is shared, the storage and the exchange needs to be encrypted
DVID-GAT-15
Reducing attack surface
2 requirements
Third party code needs to be security evaluated before integration
DVID-GAT-29
Hardening guide needs to be documented
DVID-GAT-30
Update Management
7 requirements
Update process needs to be implemented
DVID-GAT-17
The update process needs to verify the integrity of the new binary before any modification
DVID-GAT-18
The update process needs to transport information through secure tunnel
DVID-GAT-19
The update binary needs to be protected against confidentiality and integrity
DVID-GAT-20
The update binary needs to be stored in a safe area
DVID-GAT-21
The update process needs to show the current app version and the last update version
DVID-GAT-22
In production, last update of all libraries needs to be implemented
DVID-GAT-23
Username Enumeration
2 requirements
The authentication mechanism needs to not leak any existence of valid or invalid accounts
DVID-GAT-1
Authentication mechanism needs to implement antibrute force security process
DVID-GAT-2
Policy
31 requirements
Documentation
5 requirements
All configuration changes needs to be documented
DVID-POL-15
The design of the solution needs to be modular
DVID-POL-16
Documentation needs to implementation validation process and release version
DVID-POL-18
The documentation needs to be reviewed at least one time per year
DVID-POL-30
Information needs to be classified according security needs
DVID-POL-31
Management
8 requirements
Unit test needs to be performed at least at each released
DVID-POL-17
Role and responsibilities needs to be defined at project level
DVID-POL-19
Security awareness needs to provided to all participant to the project
DVID-POL-20
Keys used for signing component needs to be stored in safe area
DVID-POL-25
Business impact analysis needs to be performed before the first release and an update needs to be performed before each major update
DVID-POL-26
Risk analysis needs to be performed before the first release and an update needs to be performed before each major update
DVID-POL-27
A security assurance plan needs to be documented
DVID-POL-28
Vulnerability assessment and audit needs to be performed with independence
DVID-POL-29
Personal Data
4 requirements
The documentation needs to give transparent information about personal data usage
DVID-POL-11
If personal data are collected, the consent of user needs to be obtained on an easy way
DVID-POL-12
The consent process needs to not permit removal
DVID-POL-13
A dedicated form, publicly accessible, needs to permit to an user to remove his personal data
DVID-POL-14
Updates
5 requirements
The communication process needs to implement dedicated channel about security alerts
DVID-POL-6
The communication process needs to implement dedicated channel about security updates
DVID-POL-7
The update process needs to integrate the last version of all on-the-shelf at the release time
DVID-POL-8
The documentation needs to provide information about end-of-life of components
DVID-POL-9
In case of updatable component, the documentation needs to provide information about them and related risks
DVID-POL-10
Vulnerabilities Management
9 requirements
A contact point needs to be designed to received public issues (ex.: security.txt)
DVID-POL-1
All used software needs to be sign-up to a vulnerability monitoring process
DVID-POL-2
A fixes management process needs to define how fixes are installed on system.
DVID-POL-3
A fixes management process needs to define how fixes are installed on system.
DVID-POL-4
A fixes management process needs to define how fixes are installed on system.
DVID-POL-5
Static code analysis need to be performed on each commit
DVID-POL-21
A vulnerability scan needs to be performed on each staging
DVID-POL-22
Penetration test needs to be performed on each releases
DVID-POL-23
Architecture and configuration audit needs to be performed before the first release and before each major update
DVID-POL-24
