Security statements for machine-readable cybersecurity posture

Reports from cybersecurity audits, pen-tests, and certifications are usually pieces of paper (well, PDFs), which do not support automatic processing. AI may be able to parse some information from an informal text, but this is far from consistent. The problem has been acknowledged and there are partial solutions like SPDX format for software bill of materials (SBOMs) of Manufacturer Usage Description (MUD) defined in RFC 8520.

My doctoral thesis “Transparent and tool-driven security assessment for sustainable IoT cybersecurity” introduces security statements to provide machine-readable security postures. A security statement describes the attack surface, security controls, update mechanism, and other security-related properties of a digital product such as an IoT product, in a machine-readable format. 

In the thesis, security statements are created using Python-based domain-specific language (DSL) and they are verified with common security tools. Verification ensures that a security statement represents the true product security posture. This tool-based process is automated and can be repeated for different versions, configurations, and even deployments of the product. The applications of verifiable up-to-date and machine-readable security statements are endless: certification, security policy checking, supply chain integration, regression testing, sandboxing, etc.

In Test of Things we take the security statement from an academic concept into a practical tool for IoT manufacturers, integrators, and users. Stay tuned for both open-source and commercial solutions to take security statements into use!