Dell EMC began formulating its product security policies in 2002 when the company's focus shifted from being primarily a storage hardware vendor to an enterprise-class software provider. The company rolled out its vulnerability response program in 2004 and established a company-wide Product Security Policy in 2005. The policy enacts broad but clear security standards encompassing the complete range of Dell EMC products. This policy was continuously updated, and in 2007, it was integrated into the company's new Security Development Lifecycle (SDL). SDL instilled a series of measurable and repeatable security practices into every step of product development and deployment. In 2012, the company also formalized a supply chain risk management program to extend security practices to Dell EMC's suppliers of product components. Dell EMC continues to evolve its product security programs at the leading edge of industry standards and processes.
With VxRail, Dell EMC continues its commitment to security. VxRail development lifecycle follows the development process and Security Development Lifecycle overlay. The follows a rigorous approach to secure product development and involves executive-level risk management before products are shipped to market. Additionally, VMware vSphere is a significant part of VxRail hyper-converged infrastructure that has also been developed using a similar Security Development Lifecycle.
The Dell EMC Secure Development Lifecycle (SDL) outlines the set of activities required throughout the product lifecycle to build security resiliency and consistent security capabilities into the products and to respond to externally reported security vulnerabilities promptly. Aligned with industry best practices, the SDL is based on a set of controls that are implemented by the product R&D organizations. The following figure shows some of the typical activities performed as part of the SDL.
Figure 2. Dell EMC SDL Activities
Security champions drive the implementation and validation of these controls within the product R&D organizations that work in close collaboration with the Product and Applications Security Standards. The following figure illustrates how these SDL activities map onto a typical Agile lifecycle.
Figure 3. SDL and a Typical Agile Lifecycle
The scorecard is a mechanism used throughout Dell EMC's business to capture the security posture of a product/solution when it reaches its release Directed Availability/General Availability (DA/GA) date.
Dell EMCs comprehensive approach to secure development focuses on minimizing the risk of software vulnerabilities and design weaknesses in products.
This comprehensive approach to secure software development goes across policy, people, processes, and technology and includes the following:
Security vulnerabilities in any system component can be used by attackers to infiltrate and compromise the entire IT infrastructure. The time between the initial discovery of vulnerabilities and the availability of a fix becomes a race between the attackers and the defenders. A top priority for Dell EMC is to minimize this time gap to reduce risk.
The is responsible for coordinating the response and disclosure for all externally identified Dell EMC product vulnerabilities. The PSIRT provides customers with timely information, guidance, and mitigation strategies to address threats from vulnerabilities.
Anyone can notify Dell of potential security flaws in its products through the company's website or by email. Every notice is investigated, validated, remediated, and reported according to industry guidelines.
Dell releases information about product vulnerabilities to all customers simultaneously. The company's advisories identify the severity of vulnerabilities and spread the information using multiple standardized reporting systems. Like the rest of our product security practices, Dell's disclosure policy is based on industry best practices.
Successful product security programs are comprehensive and extend to outsourced components and software. Integrity tests within the supply chain are an essential component of building and preserving trust. Dell Technologies has a formal Supply Chain Risk Management program that ensures the hardware components used in the company's products originate from properly vetted sources.
Supply chain security is defined as the practice and application of preventive and detective control measures that protect physical assets, inventory, information, intellectual property, and people. Addressing physical, information, and personnel security helps provide supply chain assurance by reducing opportunities for the malicious introduction of malware and counterfeit components into the supply chain.
Dell's Supply Chain Risk Management framework (below) mirrors that of the comprehensive risk management framework of the National Infrastructure Protection Plan (NIPP), which outlines how government and the private sector can work together to mitigate risks and meet security objectives. Dell's framework incorporates an open feedback loop that allows for continuous improvement. Risk mitigation plans are prioritized and implemented as appropriate throughout the entire solution life cycle. The following figure illustrates the supply chain risk management process:
Figure 4. Dell supply chain risk management process
Dell Technologies believes a collaborative approach is the most efficient and effective way to deal with security threats that continuously emerge and can quickly spread among organizations through today's densely interconnected systems.
Considering the heightened risks, technology providers must set aside their competing aims in the marketplace when it comes to product security. No single vendor can solve all IT product security problems by itself. IT security is a collective, collaborative endeavor. Dell Technologies believes collaborating with other companies is essential to ensuring that the marketplace remains a venue where everyone can flourish.
Having spent decades in product security has helped Dell Technologies establish a rich history of successful improvements and insights. The company openly shares what it has learned with its customers, peers, and partners. Dell Technologies understands a customer's IT system may not run solely on Dell Technologies products, so we're committed to improving the ecosystem's security wherever a product operates. That means being an active participant and a positive contributor throughout the industry.
Dell Technologies long commitment to advancing product security has created an obligation to assist and promote newer industry members. The company's product security leaders facilitate the open exchange of ideas at conferences, through blog posts, and in other social and formal venues.
Dell Technologies is active in product security groups, where it both learns and teaches progressive best practices and cultivates a sense of communal responsibility for product security. Dell Technologies industry affiliations include: