The Signify SDL is certified on IEC62443-4-1.
All of our internal and external development activities follow the Signify Security Development Lifecycle (SDL), which codifies industry accepted best practices. The major components of the SDL are security risk analysis and threat modeling, code analysis and review, and vulnerability management. We apply the SDL to all of our hardware products, systems, services, software, and cloud solutions.
In accordance with the SDL, Signify takes the following actions during design, development, and testing:
- A security risk analysis, based on Signify security requirements aligned with the ISA/IEC 62443 standards suite, is performed for every new project and for every significant change to an existing project.
- Automated code analysis and manual code reviews are regularly performed during development. These analyses and reviews are based on, but not limited to, such frameworks as OWASP IoT Project and the OWASP Top Ten Project.
- Third-party code, including open source code, is automatically analyzed to identify and mitigate vulnerabilities.
- Hardening of the operating system is performed for embedded devices and cloud-based solutions.
- Appropriate network security and firewall rules are implemented and reviewed regularly.
- Encryption of data in transit and at rest is implemented according to generally accepted industry standards as described in the Federal Information Processing Standard Publication 140-2 (FIPS 140-2).
- Penetration tests by internal and/or external parties are performed regularly.
The Corporate Product Security and Innovation research team is responsible for evaluating the latest IoT security technologies, and supports the development teams in making the right choices when introducing new security algorithms, solutions, and technology partners.
Signify regularly audits its partners and supply chain to maintain the appropriate level of security in the manufacturing process.