The English saying “You are what you eat”, just like many other aspects of culinary history, has its origin in France and more precisely from Jean Anthelme Brillat-Savarin’s “The Physiology of Taste: Or Meditations on Transcendental Gastronomy” who first wrote
“Tell me what you eat, and I shall tell you what you are.”
In French: “Dis-moi ce que tu manges, je te dirai ce que tu es.”
This week’s release by the Open Group of the Open Trusted Technology Provider Standard (O-TTPS) subtitled “Mitigating Maliciously Tainted and Counterfeit Products” provides a twenty-first century version of this old saying, which could be best rephrased as:
“Tell me about your practices, and I shall tell you how trustworthy your products are.”
The 32 page document applies a principle often echoed on this blog and across the industry that the security of a product is best measured by understanding the security practices of the technology provider building the product with a strong supply chain focus. The Standard is a set of requirements derived from the experience of mature organizations that, when applied, reduce the risk of acquiring maliciously tainted or counterfeit products. At the end of this year, a companion planned Accreditation Program will enable recognized third party assessors to measure compliance to the Standard.
EMC was one of the industry contributors to this standard. Its representative, Dan Reddy from EMC’s Product Security Office was part of the Open Group working group since the start of the very early days of the work on O-TTPS.
The publication of this standard is just the beginning of a long journey that will see the emergence of more collaborative security standards that help customers assess the processes adopted by technology providers to build secure and trustworthy products.
