Static Analysis and UL 2900 Standard for Software Cybersecurity

ul2900

The UL 2900 is a software cybersecurity standard, specifically a Cybersecurity Assurance Program or CAP, released by Underwriter’s Laboratory (UL). Yes, this is the same company whose logo appears on many electrical devices. Much in the same way UL certifies devices for safety they are now in the cybersecurity certification business both in terms of publishing standards and certifying the software and manufactured devices to the standard. These standards are gaining traction in marketplace and the FDA has recognized the standard as meeting their cybersecurity guidance.

A notable aspect of the UL 2900 is that it specifies product requirements for more secure products and a certification that UL tests a submitted product against. In other words, the standard spells out requirements for securing a product and the set of tests it is subjected to in order to gain certification. There are also specific requirements around testing and static analysis, the topic of this post.

Risk Management is the Focus

Cybersecurity boils down to managing risk and risk mitigation. Deploying highly connected devices into an IoT ecosystem, for example, is a hostile environment and the potential threats need to be accounted and planned for. This approach forces developers to consider security risk early in a product lifecycle and make security important as safety, performance and functionality.

Building security into a product from the beginning is the key to better security it is expensive, if not impossible, to secure a product after it has been developed. We have discussed this topic at length (see this post, and this post) but to reiterate, part of shifting security “to the left” (i.e. earlier in the development lifecycle) is to incorporate automation for testing including static and dynamic analysis.

The Role of Static Analysis in UL 2900

The UL 2900 standard is clear in the requirement for code analysis as part of documenting the product under certification. For example, section 4.1, “Product Documentation”, the standard specifies:

4.1 Product Documentation

“d) As part of the section Software Weakness, a code analysis will need to be performed. This involves using tools against the existing source code of all software in the product that is available…”

“e) The binary code and/or bytecode and associated identifiers of all software in the product...”

In addition, the standard, under “Software Weaknesses”, section 18 and 19 spell out the requirements for static analysis:

“18 Static Source Code Analysis

18.1 All source code provided by the vendor per 4.1(d) shall be evaluated by means of static code analysis.

18.2 The product shall be evaluated for at least all software weaknesses listed in the latest versions of the sources mentioned in Append A, as applicable to the product.”

Section 19 requires the use of binary code analysis:

“19 Static Binary and Bytecode Analysis

19.1 All binary and/or bytecode provided by the vendor per 4.1(e) shall be evaluated by means of static analysis.

19.2 The product shall be evaluated for at least all software weaknesses listed in the latest versions of the sources mentioned in Append A, as applicable to the product.”

It’s pretty clear that static analysis of both source and binaries are required by the standard as part of the submission of product documentation to UL in order to achieve certification. Let’s consider some of the benefits of static analysis over and above the requirements.

Benefits of Static Analysis

Static analysis tools are a staple in the tool chest of organizations building more secure products. The majority of software development costs come from finding and then fixing problems in code, so discovering defects early in the development cycle helps reduce risk and cost in the following ways:

  • Finds defects before unit testing: Static analysis tools can be used right at the developer's desktop environment and can prevent defects before they enter the build system and the unit test phase of development.
  • Finds defects that testing misses: Unit testing, even on projects demanding high code-coverage levels, can still miss important defects. 
  • Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to sinks (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability.
  • Safety/Security coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Coding standards are a good practice because they increase the robustness and security of code.
  • Analyzes Third Party Code: Use of commercial off-the-shelf software (COTS) and open-source software is often a necessity in modern software development. However, software of unknown pedigree needs to be managed carefully for safety and security before inclusion in a device.  Static analysis tools can analyze third-party source and in the case of GrammaTech CodeSonar, binaries to discover defects and security vulnerabilities in software that could be impossible to test otherwise.
  • Accelerates UL certification: Static analysis (and other testing and lifecycle management tools) provides automated documentation to support testing, coding standard, and quality/robustness evidence. UL 2900 specifically requires static analysis and as such, commercial products are better suited to provide the reporting and documentation trail needed for certifications. Moreover, GrammaTech CodeSonar is certified to safety standards ISO 26262, IEC 61508 and EN50128 by TÜV SÜD providing assurance on their suitability for safety critical devices which may be required to bring a product to market.

Summary

The UL 2900 standard for software cybersecurity is an interesting blend of security process and development guidance and testing/certification. With recognition from industry regulators such as the FDA, it is gaining ground in safety critical products where both security and safety are important requirements. The standard is also clear in specifying the use of static analysis and commercial tools such as CodeSonar are well suited to fulfill the requirements of the standard while also providing tangible benefits in increasing quality and security.