Works with Alexa Security Best Practices
This page lists best practices to consider when designing your products.
The Works with Alexa program recommends that developers implement all reasonable security measures to prevent unauthorized access to the Alexa service and your products.
Use the following guidance to help ensure that your products meet security best practices:
Use secure software update distribution, incorporating cryptographic signing, so that only authentic and authorized updates are applied to devices.
Have a software maintenance update strategy that specifically defines how software updates will be created and distributed within a reasonable period of discovery when vulnerabilities are identified.
Include information on your website on how security researchers can notify you of a security vulnerability.
Develop and implement a security response plan that addresses a range of potential security incidents.
Use a secure, authenticated set up. Never include the transmission of credentials over a non-TLS session during set up.
Implement industry standard device hardening methods. For example:
- Remove all unnecessary services and software from devices
- Validate input before processing it in services on a device
- Apply all relevant updates to open source software
- Do not use default passwords
Hire an independent security expert to conduct a security review of your product before product launches and when major software or hardware changes occur.
Notify Amazon immediately if you become aware of security vulnerabilities in your products that have the potential to affect the Alexa Service and your customers.
- Steps to Build a Smart Home Skill
- Smart Home Skill Publishing Guide
- Security Testing for an Alexa Skill