D-Link has reached an agreement with the US FTC, following a lawsuit from 2017. As part of the agreement, the company must set up a new software security program for its routers and internet-connected cameras.
D-Link was indicted by the FTC in 2017 for misrepresenting the security of its devices and ignoring vulnerability reports.
So now there is an agreement, which brings the matter to a close. According to that agreement, D-Link not only has to set up a new security program, but also receives ten years of half-yearly security audits from a third party, reports ZDNet.
Whoever that third party is, can choose the FTC. D-Link may choose which certifications the auditor must have before the party can view the security program.
The new security programme must contain a number of mandatory components, as evidenced by the agreement between the two parties. For example, the company must be involved in security planning by writing about how functions and functionality affect the security of the devices.
In addition, threat modeling must be carried out to determine internal and external risks for the security of data sent by the devices. D-Link must also check and test the source code for vulnerabilities before placing products on the market. This should be done with automated, static analysis tools.
Furthermore, the code must be maintained continuously, by maintaining a shared code database that can be used to find other instances of a vulnerability when a vulnerability is discovered. If an error is discovered, a process must be used to solve the problem.
The company should monitor further security research into possible vulnerabilities that may affect its products, and set up a process for accepting vulnerability reports from security researchers. Finally, owners of a device should be warned if they are running out of security updates.
D-Link is happy
D-Link says to welcome the agreement itself. The company also says it is pleased that the FTC did not claim that D-Link was deliberately misleading its customers, and that the FTC did not prohibit the company from making statements about the security of its devices.
Of course, the company was also happy that it was not fined, which often happens when the FTC enters into an agreement after a lawsuit.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.