The role of transparency in establishing security assurance

Today’s cybersecurity landscape is evolving rapidly, and new threats are growing in volume and sophistication every year. In fact, according to IDC, over half of the more than 160,000 new vulnerabilities documented in the past two decades emerged in just the last five years. As such, the technology industry must work together to improve security assurance and earn customer trust and confidence. Transparency is a cornerstone of security assurance and should be a core value among more organizations across the technology ecosystem.

But how do you build that transparency? There are several key components that serve as the building blocks of transparency and security assurance. Here are five key areas to consider.

The Security Development Lifecycle – Is security a core focus during product planning and assessment, architecture, design, implementation, release and post-deployment support? It should be. Organizations should create and adhere to robust policies and procedures that help ensure their teams integrate security principles and privacy tenets at each step of product development, from concept through retirement.
Compute Lifecycle Assurance – Establishing an end-to-end security assurance framework that can be applied across the entire lifecycle of any product can help to improve transparency and provide better security. In the hardware space, this means prioritizing security assurance from design and build, to transfer, operations and retirement, and creating a community to address supply chain assurance and transparency at every stage. By enabling transparency and assurance across a platform’s entire lifecycle, supply chain owners can improve platform integrity, resilience, and security.
Proactive Investment in Security Research – Another critical element of transparency is actively identifying and mitigating potential security vulnerabilities. Organizations should be investing in and supporting internal offensive security research teams, championing purple team culture (collaboration between red and blue teams), and supporting external security researcher contributions through bug bounty programs and research grants. These steps represent a proactive approach to establishing product security assurance and ensuring customers can trust an organization’s ability to effectively unearth, mitigate and disclose vulnerabilities collaboratively and reliably.
Community Support and Policy Advocacy – Collaboration is key to elevating security assurance. This involves cross-functional work among industry partners, academic institutions and governance organizations on policy, standards, mitigations and research to accelerate a shared understanding of security. At Intel, we collaborate with leading operating system, hypervisor, and cloud service providers, to develop microarchitectural solutions that benefit the global technology ecosystem at large.

It also can be important to participate in industry consortiums and standard bodies to help ensure that technology designs meet evolving security, privacy and safety standards. Some examples include the Trusted Computing Group (TCG), the Confidential Computing Consortium (CCC), the 3rd Generation Partnership Project (3GPP), the National Institute of Standards and Technology (NIST), and the International Organization for Standardization (ISO).

As vulnerability research and attack methods continue to become more sophisticated, it’s also important to support the evolution of industry product design, assurance and risk management standards. MITRE and various industry leaders are working to extend the existing community-driven software-oriented Common Weakness Enumeration system to include new hardware weaknesses, as well as enhance its Common Vulnerabilities and Exposures (CVE) and Common Attack Pattern Enumeration and Classification (CAPEC) systems. Other such opportunities include ongoing efforts by the Forum of Incident Response and Security Teams (FIRST) focused on Common Vulnerability Scoring System (CVSS) and the Product Security Incidence Response Teams (PSIRT) special interest group (SIG).

Public Security Reporting – It’s not enough to simply identify and mitigate product vulnerabilities effectively. An important aspect of establishing security assurance is public disclosure. Industry leaders must raise the bar for transparency by making product security metrics available within the market. This should include details on internally and externally identified threats, and more.

In light of the various breaches and critical vulnerabilities identified over the past decade, the technology industry as a whole has begun to focus more heavily on security. But you can’t earn security trust by simply making grand public declarations. It can’t be all talk. So how do you put transparency into action?

At Intel, for instance, we heavily invest in all of these areas. We also produce annual product security reports that demonstrate the capability and maturity of our processes and provide a transparent view into how we continue to raise the bar on product security assurance. Here are several key findings from the Intel 2020 Product Security Report released on March 3, 2021:

Intel’s product security assurance programs were directly responsible for identifying and addressing 92% of the potential product vulnerabilities addressed.
Intel employees discovered 47% (109) of the 231 CVEs published in 2020.
Intel’s Bug Bounty program is responsible for identifying another 45% (105) of the 231 CVEs published in 2020.
Intel researchers found 69% of the total firmware vulnerabilities reported in 2020, while external researchers were responsible for reporting 83% of software issues (mainly device drivers and software utilities).
None of the 231 vulnerabilities addressed in 2020 were known to be used in actual attacks at the time of public disclosure.

Unforeseen security vulnerabilities are a fact of life in today’s technology landscape. Security is a collective, shared responsibility, and it takes cooperation among vendors, system providers and end users to implement mitigations quickly and effectively. But without a commitment to security transparency – particularly from technology industry leaders and vendors – building public trust and security assurance simply isn’t possible. The above elements are powerful methods for improving product security and can serve as catalysts for growing public trust and confidence.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?