PRODUCT SECURITY
Product Security Assessments
Identify and prioritize vulnerabilities based on business impact, historical data, CVSS scores, threat intelligence, and live threat scenarios.Identify vulnerabilities, orchestrate mitigation, and leverage critical data to manage your extended supply chain of IT and OT component risk.
Evaluate a given product’s capability and configurability to cybersecurity controls mapped to regulatory frameworks and weighted by product archetype and known vulnerability risk profile.
A formal evaluation of hardware or software based on inherent product risk, product security controls, and vulnerability risk profile. Over 50 procedures utilize open source intelligence to identify risks across risk management, cybersecurity, negative news, compliance, sentiment, financial, privacy and fourth-party. All results are documented with full-resolution screenshot evidence. The categories are assigned a risk score, from 0-100, based on assessment results or findings.
Use manual and semi-automated methods to identify, categorize, and document product vulnerabilities, security control configurations, and product components, performing quality assurance checks and manage the results in Fortress Platform.
Access
Data driven risk evaluations and analyst assessments
Identify
Triage suppliers based on criticalityFacilitate
Continuous monitoring and remediation workflows
Automate
Configuration management, file authenticity assurance, remediation
Narrow the gap between vendor, asset, and product security management disciplines
Inherent product risk evaluates the potential for harm to products across the risk categories such as data/systems access, cloud, mobile, offshore, safety, grid reliability, security, compliance, and supply chain. The risk score for this section limits the potential for vulnerability and controls assessment scores to contribute to the overall risk score.
The Product Security Controls section evaluates 59 individual security controls in 10 different categories. The level of risk for each product security control is ranked based on potential impact in an IT/OT environment. Each control is mapped to control frameworks such as NERC CIP, NIST SP 800-53, NATF, and CIS. Each category is then given a score which is calculated based on each individual control score.
All of the categories are then averaged to provide an overall score for all Product Security Controls. Furthermore, the section can raise 5 different results for every control questions such as Default, Configurable, Not Present, Not Applicable, and Unknown. Configurable results are given further details based on product documentation on how to specifically configure a section to apply a security control. Not Present results are given a definition where impact for the lack of a specific control in the environment are detailed. The Vulnerability Risk Profile evaluates the product for known vulnerability and third-party vulnerabilities that may affect the product. The vulnerabilities are then analyzed to create a trend; whether the count is increasing, decreasing, or stable, and to create a timeline based on the vendor’s ability to respond to known vulnerabilities. The vendor is evaluated on its ability to notify, disclose, and remediate vulnerabilities found for the product.