- How can I reach out to customer support for assistance?
Once users have registered on SafeCyber and received access to the platform, they can select “Support” on the top-right side of the screen. If they cannot access the platform, they can also contact UL Solutions' technical support team at [email protected].
- How can I invite team members to SafeCyber platform?
The first person in a company to register on the SafeCyber account is the de facto company account administrator, who has the ability to invite team members under the same account.
A company administrator can invite other administrators or users either on the Dashboard application or directly on individual solutions such as Maturity Path and Binary Check by navigating to the “Users” tab on the left side and selecting “Invite new user.”
- How is the maturity level scoring done?
As you complete the questionnaire, each question contributes a certain amount of points to your maturity score. The spider web diagram displays the results on the selected project page.
Using your answers, the tool calculates a maturity score for each subcategory (e.g., strategy and metrics within governance) and the overall category (e.g., governance) as three subcategories for the overall category. This score ranges from 0 to 3 for subcategories and 0 to 9 for the overall category.
Maturity levels and assessment scores are based on the existing Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) 2.0 framework. The higher your maturity level is rated based on your given answers, the higher the score. The following table demonstrates the calculation per question and subcategory.
Assessment scores (per question) Maturity levels (per subcategory)
Comprehensive mastery at scale
At least half
Increased efficiency and effectiveness
Ad hoc provision
- How are certification readiness scores defined?
Certification readiness scores in Maturity Path are calculated based on an initial mapping of a standard’s clauses with the Maturity assessment questions and answers. This is how a first temporary certification readiness score is defined for available standards.
For the clauses of a standard that would not be met/mapped with the Maturity assessment, we ask additional questions so customers can determine whether they cover all clauses required from a given standard and obtain their final certification readiness score.
- Does an evaluator-led assessment provide a verification or certification?
No. Currently, an evaluator-led assessment provides a verified assessment report to the customer, which recaps all customer-provided answers and evidence along with comments made by UL Solutions' evaluator. No UL Marks will be issued as part of this service.
- How can I purchase and use Binary Check?
Product security and development teams can self-register on the SafeCyber platform and choose a plan with features based on their needs.
- Register on the platform
- Go to the Marketplace tab and select “Learn More” under the Binary Check solution.
- Choose your preferred annual subscription plan:
- You can also email us at [email protected] to learn more about the benefits of Binary Check.
- What are the supported architectures, operating systems, and software frameworks?
- Intel x86/x64
- ARM Cortex-M, -A, -R
- PowerPC, PowerPC VLE
- NVIDIA AGX Xavier
- Renesas RH850, V850, SuperH
- Infineon TriCore
Supported operating systems
- Standard Linux distributions
- Automotive Grade Linux (AGL)
- Windows server and client Oes (XP, 2016, 2019)
- Windows Mobile
- Proprietary RTOS
- Fuchsia OS
- OSEK OS
- Containers (Docker save, /var/lib/docker)
- What are the supported development languages in SafeCyber’s Binary Check?
- What are the detected software package types in Binary Check?
- Linux kernel
- Standard open-source packages
- Python modules
- Java packages
- Go Libraries
- Erlang packages
- Microsoft .NET packages
- What are the supported file systems and disk image file formats?
- ISO 9660 / UDF (.iso)
- JFS, JFFS2, YAFFS
- Macintosh HFS, APFS, .dmg
- QNX—EFS, IFS
- Windows Imaging (WIC)
- DOS MBR
- What are the supported compression and archive file formats within a SafeCyber’s Binary Check project?
- 7-Zip (.7z)
- AR archive
- ARJ (.arj)
- bzip2 (.bz2)
- Compress (.Z)
- cpio (.cpio)
- Electron archive (.asar)
- Gzip (.gz)
- LZ4 (.lz4)
- LZH (.lzh)
- LZMA (.lz)
- Pack200 (.jar)
- RAR (.rar)
- TAR (.tar)
- UPX (.exe)
- XAR (.xar)
- XZ (.xz)
- ZIP (.zip, .jar, .apk, others)
- xStandard (.zst)
- What are the supported installation file formats?
- 7z, zip, rar, self-extracting .exe
- Debian package (.deb)
- Red Hat RPM (.rpm)
- Windows installers (.exe, .msi, .cab)
- What are the supported firmware file formats?
- Android OTA file
- Intel HEX SREC (SRECORD, S19, S28, S37)
- U-Boot Ambarella (.a9s, .a9h, romfs)
- TPLink WR702n image
- TRX UEFI firmware
- VxWorks ROS
- Xerox DLM
- eMMC dump
- What are the supported microcontroller file formats?
- What are the supported mobile applications file formats?
- Android (boot, sparse image, backup file)
- Android APK
- IPA (iOS App Store Package)
- How are unknown vulnerabilities detected?
Unknown vulnerabilities are detected based on reverse engineering and dynamic binary code analysis. They are not reported externally and are based on private knowledge.
- What are the supported container file formats on Binary Check?
The Binary Check solution supports the detection of software bill of materials (SBOM), publicly known and zero-day vulnerabilities from containers. All the software components and their corresponding vulnerabilities can be detected irrespective of the actual format, as the detection is performed at the file level. Software components and vulnerabilities can be detected independently from each individual file within the overlay2 file system or within save files.
Here are the supported containers file formats:
- Docker overlay2 (/var/lib/docker)
- Docker save files
- What are the vulnerability sources for Binary Check?
- Bug trackers of packages
- China National Vulnerability Database (CNVD)
- China National Vulnerability Database of Information Security (CNNVD)
- Exploit Database
- Japan Vulnerability Notes (JVN)
- JVN iPedia
- National Vulnerability Database (NVD)
- Packet Storm
- Zero Day Initiative
- Can I use Binary Check with a ticketing and tracking solution?
Yes, you can use Binary Check with Jira Cloud to create and navigate to tickets directly from product security assessments.
- What are the supported policies, guidelines and standards for compliance analysis?
- SANS Top 25
- 2020 CWE Top 25
- OWASP Top Ten 2017
- Singapore CLS
- Backdoor Analysis
- MISRA C:2012
- CERT C 2016 AUTOSAR C++14
- IPA ESCR C 3.0
- High Integrity C++ (HIC ++)
- JSF AV C++
Consumer Internet of Things (IoT)
- ETSI EN 303 645
- UL MCV 1376 (UL Solutions' IoT Security Rating labels)
- CA Senate Bill No. 327
- Oregon House Bill 2395
- ISO/SAE 21434
- UNECE WP.29
- UNECE WP.29 Annex 5B
Automotive best practices
- ENISA Automotive Security Practices
Medical devices guidance
- FDA/Medical Devices (Draft/Oct 2018)
- IEC 62443-3-3
- IEC 62443-4-1
- IEC 62443-4-2