[trustable-software] Code of Practice on IoT: UK Government Report

[Niall Dalton]

Indeed. Personally, I'd also consider 'keep software updated' to be
distinctly non-trivial. Consider rolling out an update to a fleet of
intermittently connected, intermittently powered, resource-constrained
clients. We need it to be secure, robust, atomic, fail-safe, and
reversible.  It has to complete in a timely fashion, and we have to know
how well we're doing (at least statistically). Plus, for added fun, updates
may trigger failures that the device would not have otherwise experienced,
both hardware and in the new software, and we may need to send out a
dueling update. Good clean fun for the whole family.


On Fri, May 25, 2018 at 8:46 AM, Barton Miller <bart at cs.wisc.edu> wrote:

> What's interesting about thse general checklists is that they seem to show
> a lack of understanding of software.
>
> Some items, like "no default passwords" or "keep software updated", are
> pretty trivial to implement.
>
> Others, related to the software's structure and content, like "ensure
> software integrity" and "make systems resilient to outages" can take
> extraordinary efforts.
>
> --bart
>
> On 2018-05-25 8:32 AM, trustable at panic.fluff.org wrote:
>
> I wonder how many people have read the "Secure by Design Report"
>
> https://assets.publishing.service.gov.uk/government/
> uploads/system/uploads/attachment_data/file/686089/
> Secure_by_Design_Report_.pdf
> Co
>
> It has a 13 point code
>   1) No default passwords
>   2) Implement a vulnerability disclosure policy
>   3) Keep software updated
>   4) Securely store credentials and security-sensitive data
>   5) Communicate securely
>   6) Minimise exposed attack surfaces
>   7) Ensure software integrity
>   8) Ensure that personal data is protected
>   9) Make systems resilient to outages
>  10) Monitor system telemetry data
>  11) Make it easy for consumers to delete personal data
>  12) Make installation and maintenance of devices easy
>  13) Validate input data
>
> How could they related to what we are doing with Trustable ?
> We've talked about development and declarative instantiation and
> behaviour, which sort of fits the integrity of the software. I wondered
> what we might bring to the attention of the need to have software updated
> and maintained..
>
> Edmund
>
>
>
> _______________________________________________
> trustable-software mailing list
> trustable-software at lists.trustable.io
> https://lists.trustable.io/cgi-bin/mailman/listinfo/trustable-software
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.trustable.io/pipermail/trustable-software/attachments/20180525/6540b571/attachment-0001.html>