As a sports fan, I have a tendency to compare sports with my daily job. In the case of American football (apologies to readers who don’t follow), I always compare the role of the offensive line in protecting and supporting their quarterback to make plays to the role product security plays in protecting and enabling our customers to do business.
During the playoffs I am amazed at how success depends on strategy and specifically how offensive plays called by a coordinator create a successful line to protect the quarterback. A lack of a good offensive line creates risks for the quarterback just as lack of product security can create risks for our customers and make them vulnerable:
- A product contains a zero day vulnerability and an attacker exploits it
- The customer deploys a product in an insecure manner
- A security patch is not applied to the product that addresses a publicly known vulnerability
The job of an offensive line is to form a wall of protection around a quarterback to give him adequate time to find an opening in defense and move the ball down field. Similarly, the job of a well designed product security program is to protect customers and enable them to achieve their objectives. This is done in three ways:
- A good product security program makes sure product vendors have done their best to minimize vulnerabilities. The process a vendor follows should include proactively building security throughout the development lifecycle. This enables security to be built into the DNA of the product from the beginning and enables customers to deploy products with trust. EMC’s product security program includes a comprehensive security development lifecycle with ingredients essential to product security. Our practices on this front are summarized in “EMC’s approach to secure software development.” These practices, when followed properly, help protect customers from attacks targeting vulnerabilities.
- A second key component of a good product security program is detailed documentation on how to securely deploy a product. Understanding security settings and best practices of deploying a product enables customers to adapt capabilities to organizational security policies. A key aspect of EMC’s product security program is to make available a detailed Security Configuration Guide as part of our documentation package with instructions on how to harden products. EMC Security Configuration guides can be found on our customer accessible support page .
- Lastly, it is important to consider how a product vendor responds if and when a vulnerability is reported. It’s a fallacy to assume a product that follows the right practices during development will never have a vulnerability after release. It is as important for product vendors to pay attention to security during the development lifecycle as to have a process that protects customers after release. The right information has to be made available expeditiously so customers can take action to remediate risk. EMC’s approach to vulnerability response showcases how we follow industry best practices for disclosure and efficient response. We issue a security focused EMC Security Advisory to communicate the availability of a remedy for any vulnerability in EMC products so that customers can apply patches or remedies in a timely manner. Our customers can subscribe to EMC Security Advisories through our customer accessible support page.
These three critical elements of a product security program form a strong offensive line to enable our customers, the quarterbacks, to trust our products and enable their success. Our recent blog post, Building Trust Through Product Security covers in detail how product security is an integral component of trust for any product participating in the IT infrastructure.