Page 35 - Cyber Defense eMagazine for August 2021
P. 35
4. Is there some sort of final security check involved before a product goes to market?
There’s no single security check, but rather the completion of a gauntlet of checks, that makes a product
ready for market. Even early in the Intel development process, a product generally is required to meet
appropriate security milestones at that development phase in order to proceed forward. At Intel, we don’t
just check for security at the end. It is an integral part of the entire development process. We have a team
of more than 200 security researchers internally, and they work with the product teams collaboratively to
evaluate the products throughout development.
Our teams work to find and mitigate potential vulnerabilities through internal code reviews, red team
activities such as Hack-A-Thons, and other events before products go to market. The data we collect is
then used to develop automation and required training to help eliminate future occurrences. We also
partner with the external research community, which is full of extremely smart and creative people. We
want them working with us, making our platforms better. Sometimes this is known as “Crowdsourced
Security” and can include bug bounty programs which provide incentives to researchers to report
vulnerabilities.
5. What happens if researchers identify a major vulnerability via bug bounty programs after the
product is already in the field?
At a high level (and this can differ depending on the vulnerability), products with a vulnerability initially go
to PSIRTs. At Intel, this team engages with the researcher that uncovered the issue and does the
preliminary evaluation to validate and replicate the issue. Then very quickly, it’s triaged with Intel experts
for that specific platform area who drop everything to prioritize resolution of the issue. Finding and
deploying mitigations for the issue could take days, weeks, or months, depending on the complexity. In
the meantime, because Intel follows the common industry practice of Coordinated Vulnerability
Disclosure (CVD) for reported security vulnerabilities on launched products, we align with the researchers
on a date to publicly disclose the issue to allow time to identify and deploy mitigations, in order to reduce
adversary advantage.
Then once we have a mitigation, we need to help ensure that mitigation doesn’t create other unintended
problems. Before rolling it out into customer environments, we need to make sure we understand the full
extent of its potential impact. First, internally we do what’s called ‘no harm testing’. Later, we do more
robust testing with partners and then roll out the update to customers in a coordinated fashion. When
possible, we bundle updates together so they can be validated together to save time and money for the
customers. In addition to practicing inbound CVD in partnership with external security researchers, Intel
also coordinates outbound vulnerability disclosure with industry partners and other external stakeholders,
as appropriate, so that all affected parties are disclosing in unison for an optimal defensive position. It’s
all about coordinated disclosure.
6. What role does working with the larger hardware community play in designing for security?
Compute is a complex endeavor that involves hardware from multiple vendors, firmware, operating
systems, and applications. And of course, if your hardware goes online, which more and more of it does
with the expansion of the Internet of Things, you must strive to secure compute systems across entire
ecosystems. We’re really in an interesting time now. With so many connected and smart systems, we
must consider security and privacy in every design decision for every product we create. These topics
require broad discussion and collaboration, and they deserve our detailed attention to ethical
considerations.
Cyber Defense eMagazine – August 2021 Edition 35
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
