Security Statement
Transcription
Security Statement
TECHNOLOGY BRIEF Security Statement Overview: Extreme Networks has a rich history as a pioneer in the computer networking market and today our portfolio includes robust wired/wireless network infrastructure, visibility, and security software solutions. Many of the technology underpinnings in Extreme Networks products are patented, which allows us to deliver market leading, built-in automation, visibility and control capabilities to solve critical customer networking and mobility challenges. Extreme Networks products are designed to provide our customers with Secure Networks by providing network administrators the fine-grained visibility and control of users and applications through our highly programmable control plane in combination with our secure Policy infrastructure components. Security is always top of mind for our customers, especially those who utilize their network infrastructure to transport and manage business critical applications and processes. In addition to our Secure Networks focus, real-world experience has shown that having a security-focused development process is the most effective way to improve overall product security. This document describes the Extreme Networks Secure Development Process (ENSDP), our process is designed to identify and mitigate the risk of security vulnerabilities and improve the security and resiliency of products Extreme Networks produces. The ENSDP approach strives to reduce the number and severity of vulnerabilities in firmware and software provided by Extreme Networks. ENSDP provides a security focus throughout all phases of the development process and is applicable to all programming languages, operating systems, and individual development efforts that are conducted by the company. Each phase of the process includes security-focused activities that provide some degree of security benefit if implemented on a standalone basis. However, industry experience as well as Extreme Networks’ own experience has shown that security activities executed as part of a development process lead to greater Risk Assessment Functional Security Security Response Monitoring Pl an ni ng Threat Models Design Security Life Cycle 3rd Party SWStatic Analysis Security Fuzz Customers Compliance Penetration Industry Security Cert Review Re le as e Impl eme ntati on Enga gem ent ents irem u q Re n tio ida l a V Virtual Switching – Technology Brief 1 security gains than activities implemented piecemeal or in an ad-hoc fashion. These security-focused activities, including, Static Analysis, Active Scanning, and comprehensive security-based testing are ingrained into the Extreme Networks development process/lifecycle. ENSDP is a constantly evolving methodology that is enhanced over time to incorporate new security-focused activities. Security risks are not static and as such Extreme Networks regularly attends security-focused conferences and training. In addition, Extreme Networks also monitors industry security information data sources such as CERT, the full-disclosure mailing list, and various authoritative CVE announcements for vulnerabilities that could potentially apply to our products. In all cases, the knowledge gained is transferred to the respective development teams throughout the company and enhances our ability to react appropriately to the ongoing changes in the threat landscape. Requirements Phase: Product Management drives the requirement definition for new features and releases. These requirements come from customers, support engineers, sales, market analysis and innovation. The need to consider security “up front” is a fundamental aspect of secure system development. The best time to define security-focused requirements for a project is during the initial requirements stage. In addition to the internal secure development requirements, external security requirements, such as compliance with industry and government certifications are identified. Security and compliance experts review and refine the external security requirements to ensure the development team is fully engaged. Early definition of security requirements affords development teams the time to identify key milestones and deliverables. This early definition is a key component to minimizing disruptions to plans and schedules as we progress through the process. Planning Phase: It is extremely important to consider security and its relative components carefully during the planning phase. In this phase, the development team defines the design and functionality of the system including the identification of functional security requirements. The Quality Assurance team collaborates with the design team to create a test plan for each requirement, from a functional, security, operational and performance perspective. Test-driven development practices are followed when practical to ensure success. Prior to moving to the implementation phase, the design is reviewed by a cross-functional team from a security, simplicity and feasibility perspective to gain approval. Mitigation of security issues is much less costly when performed during the beginning stages of a project. Each project team strives to avoid “adding on” security features and mitigation as an afterthought near the end of development. Implementation Phase: In the Implementation phase, the development team will code solutions that meet the product requirements. Mature coding standards and best-practices are followed with code changes being unit-tested to help identify and reduce security-related vulnerabilities in the system prior to delivering to QA for integration testing. All third-party libraries are analyzed by the Configuration Management team before being sanctioned for use in the system. As part of the third party monitoring Extreme Networks utilizes auditing tools to identify Virtual Switching – Technology Brief 2 new libraries added to the build environment to ensure the latest and most secure versions are being used. Additionally, static code analysis is performed as a security code review on each build to help detect and eliminate security vulnerabilities from the code. Validation Phase: Product validation begins long before coding is complete. Quality Assurance will begin executing test plans as soon as features are available in an effort to identify vulnerabilities as early as possible in this phase. As part of this process, the security-related feature/functions integrated in the prior phases will be verified. Quality Assurance performs regression tests (if appropriate), interoperability tests and penetration testing using industry-leading penetration testing and scanning tools. Prior to general availability, several iterations of tests may be performed. Comprehensive upgrade testing is performed (if applicable) and long-term stress testing with load generators and penetration testing tools is executed. Release Phase: Once the product has been thoroughly validated, the product release readiness is evaluated before it is officially released to customers. If it is determined during the readiness review that a product has not passed the required security tests, the product will not be released. Engagement Phase: ENS-DP and the respective development teams strive to deliver a high level of security within our products as they are delivered to market. Unfortunately with the evolving threat landscape not all security vulnerabilities will be eliminated from the products. Extreme Networks drives continuous improvement by actively testing and verifying our products even after they have been released. As updates are available to our penetration testing and scanning tools, all supported versions of our products are retested. Any newly found vulnerability will be evaluated immediately and a mitigation or patch plan will be executed. When such a vulnerability is found, we follow a process by which high severity vulnerabilities (such as the ShellShock bug in the bash shell from late 2014) are prioritized over lower severity vulnerabilities. The severity itself is derived from the Common Vulnerability Scoring System (CVSS) score, which provides the most widely accepted measure for vulnerability severity. For applicable vulnerabilities, we provide feedback to CERT to keep them updated on the status of our findings. Summary: Extreme Networks’ focus on security and our Secure Networks Development Process has proven to be effective in preventing security vulnerabilities and improving overall product quality. Our ENS-DP ensures security ingrained into the products from inception, which translates into lower risk for both Extreme Networks and our valued customers. Taken together, the security of Extreme Networks products is maintained and verified. For all enquiries about our security processes, contact GTAC. http://www.extremenetworks.com/contact Phone +1-408-579-2800 ©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks/. Specifications and product availability are subject to change without notice. 9573-041521 WWW.EXTREMENETWORKS.COM Virtual Switching – Technology Brief 3