6510 - OCP S.A.F.E. Update and The Five Most Asked Questions.pdf

《6510 - OCP S.A.F.E. Update and The Five Most Asked Questions.pdf》由会员分享，可在线阅读，更多相关《6510 - OCP S.A.F.E. Update and The Five Most Asked Questions.pdf（15页珍藏版）》请在三个皮匠报告上搜索。

1、Eric Eilertson,MicrosoftNick Hummel,GoogleIlja van Sprundel,IOActiveOCP S.A.F.E.UpdateOCP S.A.F.E.UpdateEric Eilertson,MicrosoftNick Hummel,GoogleIlja van Sprundel,IOActiveSecuritySpeaker introductionAbout S.A.F.E.Introduction to the programCurrent statusAdvice from a SRPCost considerationsThings to

2、 knowPreview of structural changesAgendaSpeakersEric EilertsonMicrosoftS.A.F.E.LeadNick HummelGoogleS.A.F.E.LeadIlja van SprundelIOActiveS.A.F.E.SRPAbout S.A.F.E.Security Appraisal Framework and EnablementSRP BEach customer wishing to purchase a device needs to find and vet a suitable security revie

3、w providerDevice vendors needs to collaborate with several independent SRPs/customers providing duplicate informationCollaborating with small customers is not worth the effort for vendorsTraditional modelVendorCustomer ACustomer CCustomer BSRP ASRP CS.A.F.E.standardizes security audits of HW/FW,espe

4、cially datacenter server components,like CPUs,GPUs,SSDs,NICsCustomers share one review,saving costsVendors only need to work with one SRP,saving effortVendors are incentivized to provide high quality continuous reviews as there are many customersNew model under OCP S.A.F.E.VendorCustomer ACustomer C

5、Customer BSRPPrograms such as FIPS and Common Criteria provide specific checklists of things that need to be fulfilledThis leads to focus on ticking boxes rather than holistically considering securityS.A.F.E.instead focuses on strictly vetting high quality SRPs that are then given sufficient freedom

6、 to assess security comprehensivelyDifference to certification programs8 approved Security Review ProvidersMicrosoft requires S.A.F.E.audits for all security-relevant server componentsGoogle requires security audits for all security-critical server components;if conducted externa