Security Over Time

Criteria: The product is kept protected with software updates for a clearly defined and communicated period of time (i.e., the product life cycle).

See this test in action:

• Smart lock
• Smart pressure cooker
• Smart baby monitor

Methodology for Assessing Each Indicator

1) The product life cycle is communicated to the potential owner before purchase.

• Obtain and review a copy of the product’s terms of service, online warranty, and end user agreement, and review any other online documentation available on the company’s website.
• Review any language that may appear in the exterior labelling of the product, if any, that a customer might be able to read before purchasing the product.
• Look for language describing timelines, deadlines, or any dates or lifespans associated with the product. For example, expiration of warranty, service limitations, scope of coverage, etc.
• Look for language describing updates, repair or replacement, or a commitment to maintain the product or software for a certain timeline.
• Look for language specifically describing software updates, patches, etc.
• If a product life cycle is described in any of these materials, mark PASS.
• If a product life cycle is not described, mark FAIL.

2) Software updates are authenticated.

• Note: The Digital Standard lists the procedure for this indicator as “To Be Decided.”
• Obtain and review a copy of the product’s terms of service, online warranty, and end user agreement, and review any other online documentation available on the company’s website.
• Look for language specifically describing the process for software updates, patches, etc.
• Look for language about authentication or any other description of processes used to secure a software update and ensure that it is being sent from an authorized party.
• If a process for authenticating updates is described, mark PASS.
• If a process for authenticating updates is not described, mark FAIL.

3) Automatic software updates.

• Obtain and review a copy of the product’s terms of service, online warranty, and end user agreement, and review any other online documentation available on the company’s website.
• Look for language specifically describing the process for software updates, patches, etc.
• Look for language describing how these updates are installed, specifically whether users are obligated to install updates manually or whether the software is updated automatically by the provider.
• Examine software settings and product documentation to determine if automatic software updates can be enabled by the user.
• If the product can be updated automatically, mark PASS.
• If the product does not permit automatic updates, mark FAIL.

4) Notification of software update.

• Obtain and review a copy of the product’s terms of service, online warranty, and end user agreement, and review any other online documentation available on the company’s website.
• Look for language specifically describing the process for software updates, patches, etc.
• Look for language describing how these updates are installed, specifically whether users are obligated to install updates manually or whether the software is updated automatically by the provider.
• Look for language clarifying whether users will be notified of software updates, and by what mechanism they will be notified.
• If the documentation indicates that users will be notified of updates, mark PASS.
• If no information exists regarding notification, or if documentation specifically states that users will not be updated, mark FAIL.