Open Group’s New Open Trusted Technology Provider Standard: How Trustworthy are Your Products?

The English saying “You are what you eat”, just like many other aspects of culinary history, has its origin in France and more precisely from Jean Anthelme Brillat-Savarin’s “The Physiology of Taste: Or Meditations on Transcendental Gastronomy” who first wrote

“Tell me what you eat, and I shall tell you what you are.”

In French: “Dis-moi ce que tu manges, je te dirai ce que tu es.”

This week’s release by the Open Group of the Open Trusted Technology Provider Standard (O-TTPS) subtitled “Mitigating Maliciously Tainted and Counterfeit Products” provides a twenty-first century version of this old saying, which could be best rephrased as:

“Tell me about your practices, and I shall tell you how trustworthy your products are.”

The 32 page document applies a principle often echoed on this blog and across the industry that the security of a product is best measured by understanding the security practices of the technology provider building the product with a strong supply chain focus. The Standard is a set of requirements derived from the experience of mature organizations that, when applied, reduce the risk of acquiring maliciously tainted or counterfeit products. At the end of this year, a companion planned Accreditation Program will enable recognized third party assessors to measure compliance to the Standard.

EMC was one of the industry contributors to this standard. Its representative, Dan Reddy from EMC’s Product Security Office was part of the Open Group working group since the start of the very early days of the work on O-TTPS.

The publication of this standard is just the beginning of a long journey that will see the emergence of more collaborative security standards that help customers assess the processes adopted by technology providers to build secure and trustworthy products.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize