Dell EMC began formulating its product security policies 20 years ago when the company's focus shifted from being primarily a storage hardware vendor to an enterprise-class software provider. Over that time, we have evolved to adopt product security programs at the leading edge of industry standards and processes:
The Dell EMC Secure Development Lifecycle (SDL) outlines the set of activities required throughout the product life cycle to promptly build security resiliency and consistent security capabilities into the products and respond to externally reported security vulnerabilities. Aligned with industry best practices, the SDL is based on controls that the product R&D organizations implement. The following figure shows some of the typical activities performed as part of the SDL.
Security champions drive the implementation and validation of these controls within the product R&D organizations that work in close collaboration with the Product and Applications Security Standards. The following figure illustrates how these SDL activities map onto a typical Agile lifecycle.
The scorecard is a mechanism used throughout Dell EMC's business to capture the security posture of a product/solution when it reaches its release General Availability (GA) date.
Dell EMCs comprehensive approach to secure development focuses on minimizing the risk of software vulnerabilities and design weaknesses in products.
This comprehensive approach to secure software development goes across policy, people, processes, and technology and includes the following:
Security vulnerabilities in any system component can be used by attackers to infiltrate and compromise the entire IT infrastructure. The time between the initial discovery of vulnerabilities and the availability of a fix becomes a race between the attackers and the defenders. A top priority for Dell EMC is to minimize this time gap to reduce risk.
The Dell Product Security Incident Response Team (PSIRT) is responsible for coordinating the response and disclosure for all externally identified Dell EMC product vulnerabilities. The PSIRT provides customers with timely information, guidance, and mitigation strategies to address threats from vulnerabilities.
Anyone can notify Dell of potential security flaws in its products through the company's website or by email. Every notice is investigated, validated, remediated, and reported according to industry guidelines.
Dell releases information about product vulnerabilities to all customers simultaneously. The company's advisories identify the severity of vulnerabilities and spread the information using multiple standardized reporting systems. Like the rest of our product security practices, Dell's disclosure policy is based on industry best practices.
Successful product security programs are comprehensive and extend to outsourced components and software. Integrity tests within the supply chain are an essential component of building and preserving trust. Dell Technologies has a formal Supply Chain Risk Management program that ensures the hardware and software components used in the company's products originate from properly vetted sources.
A supply chain attack is a type of cybersecurity attack that seeks to exploit the target's vulnerable upstream suppliers. For example, in late 2020, a discovery was made that many of the United States federal agencies, and other commercial entities, had fallen victim to a wide-ranging cyberattack originating from one of their suppliers. Suspected state-sponsored attackers had compromised Orion, a trusted network monitoring application, from the software publisher SolarWinds. Amongst the malware, the attackers included in Orion were back doors, authentication exploits, and command and control software, such that the attackers were able to appear to be legitimate once they had compromised the target’s security boundary.
Supply chain security is the practice and application of preventive and detective control measures that protect physical and digital assets, inventory, information, intellectual property, and people. Addressing information, personnel, and physical security helps provide supply chain security by reducing opportunities for the malicious introduction of malware and counterfeit components into the supply chain.
Dell’s Quality Management System verifies ongoing compliance to engineering specifications and processes, including sourcing from approved vendors. Software engineering best practices integrate security throughout the development process for any code, including operating systems, applications, firmware, and device drivers. Dell reduces opportunities for the exploitation of software security flaws by incorporating secure development lifecycle measures throughout the Design and Development process. These measures are tightly aligned with Software Assurance Forum for Excellence in Code (SAFECode) guidelines1 and ISO 270342.
VxRail secures its BIOS firmware by incorporating a TPM, which coordinates with the BIOS during the UEFI boot process to maintain the authenticity of BIOS measurements, most importantly a Root of Trust for Measurement (RTM) and a Root of Trust for Reporting (RTR). The Trusted Computing Group (TCG) Measured Boot uses the PC’s TPM as a protected storage area for storing hashes of BIOS and firmware code that is loaded and executed in the boot process. The TPM is designed to store these events in a secure way that can be verified post-boot through a process called attestation.
VxRail’s software engineering best practices integrate security throughout the development process for any supplier-provided code, including operating systems, applications, firmware, and device drivers. Dell reduces opportunities for the exploitation of software security flaws by incorporating secure development lifecycle measures throughout the Design and Development process. These measures are tightly aligned with Software Assurance Forum for Excellence in Code (SAFECode) guidelines1 and ISO 270342.
Proactive verification, validation, and security testing activities throughout the lifecycle help to ensure secure software and reduce the likelihood of malware or coding vulnerabilities being inserted into the software. A robust cybersecurity program improves software integrity by preventing unauthorized access to source code and minimizing the potential for malware to be introduced into a product before it is shipped to the customer.
Dell Technologies believes a collaborative approach is the most efficient and effective way to deal with security threats that continuously emerge and can quickly spread among organizations through today's densely interconnected systems.
Considering the heightened risks, technology providers must set aside their competing aims in the marketplace when it comes to product security. No single vendor can solve all IT product security problems by itself. IT security is a collective, collaborative endeavor. Dell Technologies believes collaborating with other companies is essential to ensuring that the marketplace remains a venue where everyone can flourish.
Having spent decades in product security has helped Dell Technologies establish a rich history of successful improvements and insights. The company openly shares what it has learned with its customers, peers, and partners. Dell Technologies understands a customer's IT system may not run solely on Dell Technologies products, so we're committed to improving the ecosystem's security wherever a product operates. That means being an active participant and a positive contributor throughout the industry.
Dell Technologies long commitment to advancing product security has created an obligation to assist and promote newer industry members. The company's product security leaders facilitate the open exchange of ideas at conferences, through blog posts, and in other social and formal venues.
Dell Technologies is active in product security groups, where it both learns and teaches progressive best practices and cultivates a sense of communal responsibility for product security. Dell Technologies industry affiliations include: