Make software security measurable, comparable and transparent
How you will manage that?
Note, I was planning to comment a lot from the URL given above, but it mostly sale-talks, so let's go into the few points of facts which i find relevant.
Verify and validate the absence of known vulnerabilities, weaknesses, and known malware in products and the effective implementation of security controls
Isn't the 'unknown' more interesting to know? (known is simply known)
Coding flaws, defects, and bugs are a main cause for easily exploitable software vulnerabilities.
No shit?
By identifying and exposing vulnerabilities, especially during development, this can significantly reduce or eliminate security risks in products’ and systems’ software, ideally before deployment.
Reverse engineering in R&D?
The Product or System Assessment involves testing, including:
.....
Ok, so there are some reverse engineering after all, not bad.
Therefore, and in addition, a Product or System Assessment verifies a product’s software is in compliance with required security controls. These security controls may include but not be limited to role-based access control, secure data storage, cryptography, key management, authentication, integrity and confidentiality of all data received and transmitted.
Ah, you want to sell IDS/IPS (Intrusion Detection System/Intrusion Protection System)
The UL 2900 Standard contains minimum requirements on each of these controls. The Standard contains requirements for the vendor or manufacturer to design the security controls in such a way that they demonstrably satisfy the security needs of the product. Also, the Standard describes testing and verification requirements for collecting evidence that the designed security controls are implemented.
https://www.emergogroup.com/tags/ul-2900
Medical device and healthcare networking cybersecurity standard.. And?