It’s almost certainly the case that anyone procuring any HPC system or technology will have some form of security requirement. However, many customers requirements tend to be generic or lean towards compliance and standards. It’s easy for vendors to comply with these loose requirements yet leave gaping holes in the areas that really matter. There is absolutely no reason that vendors cannot differentiate themselves from the competition by engaging in and sharing meaningful security activities which set a benchmark that other vendors do not meet.
If a customer is going to commit to your product for several years they don’t want to find out part way down the line that a gaping security hole has arisen which will not be resolved. Equally, a customer will be very keen to ensure that what they are buying is secure at the point of purchase. As a vendor you have a strong advantage here, you know your product better than anyone so you are best placed to design the security processes that form part of your product development. Not taking the lead here can quickly result in a series of generic requirements evolving and being imposed by customers in an effort to fulfill their needs.
Three areas that should be a core part of any vendor security program, which you’ll be surprised that other vendors are not taking advantage of:
Vulnerability Handling Process
Security vulnerabilities are a fact of life. Even if you’ve invested a huge amount of time and effort into eliminating them the landscape is constantly changing that to eliminate them entirely is an impossibility. For a product to be considered secure there must therefore be a mechanism for responding to and resolving vulnerabilities as they are identified.
The Natinal Cyber Security Centre (Europe) have provided some good guidelines on handling the disclosure of vulnerabilities: https://www.enisa.europa.eu/news/member-states/WEB_115207_BrochureNCSC_EN_A4.pdf
As important as having a vulnerability handling process is ensuring that it is accessible. Whilst it may seem logical to make this available to your customers via their support contracts don’t forget that security issues can be found by anyone and having a means for people to contact you if they uncover a security issue can be as simple as providing an email address that reaches the right people internally.
When most security practitioners think of organizations that are proactive when it comes to security names like Google and Microsoft spring to mind. One thing that is common to both of these organizations is that they undertake both of the activities above, but also they share information on security issues that are uncovered for the benefit of everyone.
It’s very easy to identify organizations that are proactive on the security front, they’ll have CVEs associated with them: https://cve.mitre.org/
A CVE is an industry standard identifier for a specific vulnerability. It not only helps security practitioners identify vulnerabilities but the assignment of a CVE typically indicates that a security vulnerability has been resolved by the vendor. Vendors with multiple CVEs have therefore demonstrated pro-activity in resolving security issues. Ensuring that security information on your products is accessible ensures that people can better secure them, witholding this information does not.
Be mindful most products rely on other technologies; most supercomputers, for example, run Linux. Therefore vulnerabilities affecting Linux will typically affect most supercomputers. If you manufacture supercomputers then you run the risk that a significant vulnerability in Linux may drastically change the security posture of your product and affect all of your customers. Ensuring that you have a means to handle this situation too is important.
Being open about security issues allows for informed decisions to be made.
Most customers will expect their vendors to be proactive when it comes to security. This is the area where it is possible to differentiate from other vendors and demonstrate commitment to security to your customers.
This means talking about what you’re doing and the type of things you are finding and improving as a result. If you already have a process for handling vulnerabilities and you’re sharing security relevant information then you already have a lot to talk about.
It may sound uncomfortable talking to customers about the fact that security issues are being identified and resolved but the alternative is that your organization is not identifying or resolving security issues which is far more uncomfortable place to be. Equally if your security activities are not regularly finding and resolving issues then it is not unreasonable for a customer to question whether your security activities are effective; so take the opportunity to share some stories on how your proactive approach to security has had some great results. You may even want to talk about any penetration testing you do and what that looks like; although ensure that you have a stance on whether you would be willing to share the resulting reports with your customers if you do, it’s likely they’ll ask to see them. Summary reports often provide a good middle ground here.
Don’t forget though, that your product is only one part of the picture, your organizational security will be important too and an astute customer will be considering this too.
Often customers will have a need to do their own security reviews regardless of how much work you put in. If you’re already undertaking similar activities then it’ll be much simpler to handle the results of your customers findings. If your customers are willing to fund security reviews and share the results back with you to help better secure your product, what a great situation to be in.
The reality is that, despite it being a requirement of most HPC customers, there is a huge opportunity for vendors to differentiate themselves in the security space. Those that lead will not only differentiate but also set a bar for others to meet, effectively shaping the security landscape in HPC around themselves and causing others to play catch up but with a much more limited opportunity to shape.