Skip to main content
  • FAQ

SafeCyber Technical Guide and FAQs

Learn from our technical guide and FAQs for SafeCyber’s Maturity Path, Firmware Check and Field Monitoring solutions

A businesswoman using a tablet with information displayed over it.

Maturity Path

How is the maturity level scoring done?

As you complete the questionnaire, each question contributes a certain amount of points to your maturity score. The spider web diagram displays the results on the selected project page.

Maturity level scoring

Using your answers,  the tool calculates a maturity score for each  sub-category (e.g., Strategy and Metrics within Governance) and the overall category (e.g., Governance) as three sub-categories for the overall category. This score ranges from 0 to 3 for sub-categories and 0 to 9 for the overall category.

Maturity levels and assessment scores are based on the existing OWASP Software Assurance Maturity Model (SAMM) 2.0 framework. The higher your maturity level is rated based on given answers, the higher the score. The following table demonstrates the calculation per question and sub-category.

Assessment scores (per question)  Maturity levels (per sub-category) 
1 Most 3 Comprehensive mastery at scale
0.5 At least half 2 Increased efficiency and effectiveness
0.2 Some 1 Ad-hoc provision
0 None 0 Practice unfulfilled

 

Does an evaluator-led assessment provide a verification or certification?

No. Currently, an evaluator-led assessment provides an assessment report and recommendations to the customer.

Firmware Check and Field Monitoring

How can I purchase and use Firmware Check scans?

Product security and development teams can self-register on the SafeCyber platform and choose a plan with features based on their needs

  1. Register and create a Firmware Check account.
  2. Once logged in, start a Firmware Check project in the application’s “Projects” tab and choose a number of firmware scans:
    • One firmware scan
    • Four firmware scans
    • Twelve firmware scans
  3. Download the order form from the project page and choose the scan package type:
    • Standard
    • Pro
    • Premium
  4. Upload the provided order form and the firmware binary file(s) to scan
  5. Upon processing the order, receive your report.
How can I purchase and use Field Monitoring scans?

Product security and development teams can self-register on the SafeCyber platform and choose a plan with features based on their needs

  • Create a Field Monitoring account  
  • Once logged in, start a Field Monitoring project in the application’s “Projects” tab and choose a number of firmware scans:
    • One firmware scan
    • Four firmware scans
    • Twelve firmware scans
  • Download the order form from the project page and choose the scan package type:
    • Standard
    • Pro
    • Premium
  • Upload the provided order form with your chosen features and the firmware binary file(s) to scan
  • Upon processing the order, receive your report.
  • Define actions for the latest vulnerability report received through the application
What are the supported architectures, operating systems, and software frameworks?

Supported architectures

  • Intel x86/x64
  • ARM Cortex-M, -A, -R
  • PowerPC, PowerPC VLE
  • NVIDIA AGX Xavier
  • Renesas RH850, V850, SuperH
  • Infineon TriCore
  • MIPS
  • NXP

Supported operating systems

  • Standard Linux distributions
  • Automotive Grade Linux (AGL)
  • Android
  • QNX
  • Windows server and client Oes (XP, 2016, 2019)
  • Windows Mobile
  • NetBSD
  • FreeBSD
  • FreeRTOS
  • Proprietary RTOS
  • RIOT
  • Fuchsia OS
  • OSEK OS
  • VxWorks
  • Containers (Docker save, /var/lib/docker)

Software frameworks

AUTOSAR

 

What kind of files can I upload within a SafeCyber’s Firmware Check and Field Monitoring project?

You can upload a binary archive or a binary file.

What are the supported compression and archive file formats within a SafeCyber’s Firmware Check and Field Monitoring project?
  • 7-Zip (.7z)
  • AR archive
  • ARJ (.arj)
  • Base64
  • bzip2 (.bz2)
  • Compress (.Z)
  • cpio (.cpio)
  • DEFLATE
  • Electron archive (.asar)
  • Gzip (.gz)
  • lrzip
  • LZ4 (.lz4)
  • LZH (.lzh)
  • lzip
  • LZMA (.lz)
  • lzop
  • OTF
  • Pack200 (.jar)
  • PLF
  • RAR (.rar)
  • rzip
  • TAR (.tar)
  • UPX (.exe)
  • XAR (.xar)
  • XZ (.xz)
  • ZIP (.zip, .jar, .apk, others)
  • StuffIt
  • xStandard (.zst)
What are the supported firmware file formats?
  • Android OTA file
  • Dahua
  • DJI
  • Intel HEX SREC (SRECORD, S19, S28, S37)
  • ODX
  • U-Boot Ambarella (.a9s, .a9h, romfs)
  • TPLink WR702n image
  • TRX UEFI firmware
  • VBF
  • VxWorks ROS
  • Xerox DLM
  • eMMC dump
What are the vulnerability sources for Firmware Check and Field Monitoring?
  • Auto-ISAC
  • Bug trackers of packages
  • China National Vulnerability Database (CNVD)
  • China National Vulnerability Database of Information Security (CNNVD)
  • Exploit Database
  • ICS-CERT
  • Japan Vulnerability Notes (JVN)
  • JVN iPedia
  • Metasploit
  • MITRE
  • National Vulnerability Database (NVD)
  • Packet Storm
  • SecuriTeam
  • SecurityFocus
  • Zero Day Initiative
How are unknown vulnerabilities detected?

Unknown vulnerabilities  are detected based on reverse engineering and dynamic binary code analysis. They are not reported externally and based on private knowledge.

What are the supported policies, guidelines and standards for compliance analysis?

General security

  • SANS Top 25
  • 2020 CWE Top 25
  • OWASP Top Ten 2017
  • Singapore CLS
  • Backdoor Analysis

Secure coding

  • MISRA C:2012
  • CERT C 2016 AUTOSAR C++14
  • IPA ESCR C 3.0
  • High Integrity C++ (HIC ++)
  • JSF AV C++
  • BARR-C:2018

 

Legal and privacy

  • GDPR

Consumer IoT

  • ETSI TS 303 645
  • UL MCV 1376
  • CA Senate Bill No. 327
  • Oregon House Bill 2395

Automotive standards

  • ISO/SAE 21434
  • UNECE WP.29
  • UNECE WP.29 Annex 5B

Automotive best practices

  • ENISA Automotive Security Practices

Medical devices guidance

  • FDA/Medical Devices (Draft/Oct 2018)

Industrial IoT

  • IEC 62443-3-3 
  • IEC 62443-4-1
  • IEC 62443-4-2

Get in touch

Have questions, need specifics? Let's get this conversation started.

Help and support

How can we help?