UL 2900-1:2017 Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements.
1.1 UL 2900-1 applies to network-connectable products that shall be evaluated and tested for
vulnerabilities, software weaknesses and malware.
1.2 This standard describes:
a) Requirements regarding the software developer (vendor or other supply chain member) risk management process for their product.
b) Methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses and malware.
c) Requirements regarding the presence of security risk controls in the architecture and design of a product.
1.3 This standard does not contain requirements regarding functional testing of a product. This means
this standard contains no requirements to verify that the product functions as designed.
1.4 This standard does not contain requirements regarding the hardware contained in a product.
2 Normative References
2.1 All references are for the latest published version of the document, unless stated otherwise.
[1] Standard for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare Systems, UL 2900-2-1
[2] Standard for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, UL 2900-2-2
[3] Standard for Test Access Port and Boundary-Scan Architecture, IEEE 1149
[4] Cybersecurity in formation exchange — Vulnerability/state exchange — Common vulnerabilities and exposures (CVE); retrievable from https://cve.mitre.org/, ITU-T X.1520
[5] Cybersecurity information exchange — Vulnerability/state exchange — Common vulnerability scoring system (C VSS); retrievable from https://n vd. fist, go v/vuln-metrics/cvss, ITU-T X.1521
[6] Cybersecurity information exchange — Vulnerability/state exchange — Common weakness enumeration
(C WE), ITU-T X.1524
[7] Cybersecurity inform at ion exchange — Vulnerability/state exchange — Common weakness scoring system (CWSS); retrievable from https://cwe.mitre.org/cwss, ITU-T X.1525
3 Glossary
3.1 ATTACK — The use of one or more exploit(s) by an adversary to achieve one or more negative technical impact(s).
3.2 ATTACK PATTERN — A description of a generic method for carrying out attacks.
3.3 AUTHENTICATION — The process of verifying the identity of an entity.
3.4 AUTHENTICITY — The property that data, information or software originate from a specific entity.
3.5 AUTHORIZATION — The process of giving an entity permission to access or manipulate the product,
or the property that an entity has such permission.
3.6 BINARY CODE — Machine instructions and/or data in a format intended for a specific processor
architecture.
3.7 BYTECODE — Instructions and/or data that are created from source code as an intermediate step before generating binary code. Bytecode is independent of a specific processor architecture and is typically handled by a virtual machine or interpreter.UL 2900-1 pdf download.