UL 2900-1-2020 pdf download

UL 2900-1-2020 pdf download.Software Cybersecurity for Network- Connectable Products, Part 1: General Requirements.
3 Glossary 3.1 ATTACK – The use of one or more exploit(s) by an adversary to achieve one or more negative technical impact(s). 3.2 ATTACK PATTERN – A description of a generic method for carrying out attacks. 3.3 AUTHENTICATION – The process of verifying the identity of an entity. 3.4 AUTHENTICITY – The property that data, information or software originate from a specific entity. 3.5 AUTHORIZATION – The process of giving an entity permission to access or manipulate the product, or the property that an entity has such permission. 3.6 BINARY CODE – Machine instructions and/or data in a format intended for a specific processor architecture. 3.7 BYTECODE – Instructions and/or data that are created from source code as an intermediate step before generating binary code. Bytecode is independent of a specific processor architecture and is typically handled by a virtual machine or interpreter. 3.8 COMMON ATTACK PATTERN ENUMERATION AND CLASSIFICATION (CAPEC) – Specified in ITU-T X.1544 (ref. [7]), the CAPEC is a publicly available resource providing a list and classification of a large number of attack mechanisms based on the topology of the environment. 3.9 COMMON VULNERABILITIES AND EXPOSURES (CVE) – Specified in ITU-T X.1520 (ref. [3]), the CVE is a publicly available resource providing common identifiers for known vulnerabilities and exposures. 3.10 COMMON VULNERABILITY SCORING SYSTEM (CVSS) – Specified in ITU-T X.1521 (ref. [4]), the CVSS is a publicly available resource providing a means for prioritizing vulnerabilities in terms of exploit potential. 3.11 COMMON WEAKNESS ENUMERATION (CWE) – Specified in ITU-T X.1524 (ref. [5]), the CWE is a publicly available resource providing a structured means to exchange unified, measurable sets of information providing common identifiers for software weaknesses, as well as consequences, detection methods and examples of each weakness.
3.13 COMMUNICATION PROTOCOL – A system of rules regarding syntax, semantics, synchronization and error recovery of data communication, allowing two or more entities to exchange information. 3.14 CONFIDENTIALITY – The property that data, information or software is not made available or disclosed to unauthorized individuals, entities, or processes. 3.15 EXECUTABLE – A file containing instructions in binary code, which can be used by a computer to perform computational tasks. 3.16 EXPLOIT – An input or action designed to take advantage of a weakness (or multiple weaknesses) and achieve a negative technical impact. NOTE: The existence of an exploit targeting a weakness is what makes that weakness a vulnerability. 3.17 EXTERNAL INTERFACE – An interface of the product that is designed to potentially allow access to an entity outside the product; for example user interfaces, remote interfaces, local interfaces, wireless interfaces and file inputs. 3.18 GENERATIONAL MALFORMED INPUT TESTING – A method of deriving malformed input test cases by using detailed knowledge of the syntax and semantics of the specifications of the protocol or file format being tested. 3.19 HARM – Physical injury or damage to the health of people, or damage to property or the environment. 3.20 I2C BUS – An inter-integrated circuit bus. 3.21 INTEGRITY –t he assurance that data can only be altered by authorized entities. 3.22 JTAG – Joint Test Action Group (JTAG) method of connection described in IEEE 1149, Standard for Test Access Port and Boundary-Scan Architecture.
3.31 PRODUCT – The network-connectable device, software or system under test. 3.32 PROTOCOL – See COMMUNICATION PROTOCOL 3.33 REMOTE INTERFACE – An external interface potentially allowing access to individuals, entities or processes regardless of geographic distance to the product. 3.34 REMOTE ACCESS – Access to the product via a remote interface. 3.35 RISK – The potential for harm or damage, measured as the combination of the likelihood of occurrence of that harm or damage and the impact of that harm or damage. 3.36 RISK ANALYSIS – The systematic use of available information to identify threats and to estimate risk. 3.37 RISK CONTROL – Any action taken or feature implemented to reduce risk. 3.38 RISK MANAGEMENT – Systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling and monitoring risk. 3.39 SECURE ELEMENT – A tamper-resistant platform like a chip capable of securely hosting applications and their confidential and cryptographic data and that will prevent unauthorized access. 3.40 SECURITY – The process of having acceptable levels of confidentiality, integrity, authenticity and/or availability of product data and/or functionality through risk analysis.UL 2900-1-2020 pdf download.