By Syed Jawad Imam Jafri, Cyber Security and Privacy Officer (CSPO), Huawei South Africa – Huawei R&D (Research and Design) focuses heavily on security throughout product development, adhering to the principle of security by design and security in process.
Cyber security activities built into the process are performed in strict compliance throughout the entire product lifecycle, so that security requirements can be implemented in each phase.
Huawei R&D provides the Integrated Product Development (IPD) process to guide end to end (E2E) product development. Since 2010, Huawei has started to build cyber security activities into the IPD process according to industry security practices and standards such as OWASP’s Open Software Assurance Maturity Model (OpenSAMM), Building Security In Maturity Model (BSIMM), Microsoft Security Development Lifecycle (SDL), and NIST CSF as well as cyber security requirements of customers and governments. Such activities include security requirement analysis, security design, security development, security test, secure release, and vulnerability management. Check points are used in the process to ensure that security activities are effectively implemented in product and solution development. This practice improves the robustness of products and solutions, enhances privacy protection, and ensures Huawei provides customers with secure products and solutions.
- In the security requirement analysis phase, Huawei collects cyber security and privacy requirements through various channels such as customer feedback, industry standards, laws and regulations, and certifi It also gains insights into the service scenarios of products and solutions; analyses the network architecture, deployment environment, O&M management, and service characteristics to identify potential threats; assesses risks in terms of security, privacy, resilience, availability, reliability, and safety; and determines security requirements based on the threat assessment results. Huawei will analyse and manage these requirements.
- In the design phase, Huawei has extended the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) threat model to include the attack tree and privacy impact assessment (PIA) elements, calling this new model Advanced STRIDE (ASTRIDE). Huawei has also developed security design standards to guide engineers in security design, with reference to the best practices in the industry.
- In the development phase, Huawei has developed its own secure coding standards with reference to the best practices of the industry’s secure coding standards of Computer Emergency Response Team (CERT), Common Weakness Enumeration (CWE), SysAdmin, Audit, Network, Security (SANS), and OWASP. Huawei implements a series of security development controls to ensure the quality of completed code, for example, local static code analysis using tools, the committer review mechanism, and enabling compiler security options.
- In the test phase, Huawei has designed test cases based on the threat modeling to verify the effectiveness of the threat mitigation measures designed. Huawei has adopted a “many eyes and many hands” security verification mechanism. In addition to security tests of product lines, Huawei established the Independent Cyber Security Lab (ICSL), which is independent of the R&D system, to be responsible for the final verification of products. Test results are directly reported to the Global Cyber Security & Privacy Officer (GSPO), who has veto power over product launch. Third-party testing and verification schemas are supported with the cooperation of customers and industry regulators.
- In the version release phase, Huawei scans software packages for viruses and releases signatures before version release. It then verifies the integrity of software packages during software transfer and delivery to ensure that they are not tampered with.
- In the lifecycle management phase, Huawei continuously focuses on security vulnerabilities to ensure customer service continuity. The vulnerability response process involves vulnerability awareness, vulnerability validation, remediation solution development, and post-remediation activities. The Product Security Incident Response Team (PSIRT) detects vulnerabilities through internal and external channels and identifies all products with vulnerabilities based on dependencies. It classifies, assesses, and grades detected vulnerabilities, and assigns them to relevant teams for remediation. All patches comply with Huawei’s code quality requirements and undergo strict security tests. The PSIRT tracks vulnerability remediation to ensure the effectiveness of remediation solutions.
Huawei’s R&D has made good progress in the operation of the live network. Huawei has built more than 1500 networks in over 170 countries and regions in the past 30 years, covering more than one third of the world’s population, with no cyber security incidents. This shows the security of Huawei products.
Huawei is committed to not only building confidentiality, integrity, availability, traceability, and user privacy protection in 5G equipment based on the 3GPP security standards, but also collaborating with operators to build high cyber resilience in networks from the O&M perspective. Looking to the future, as cloud, digitisation, and software-defined everything become more and more prevalent and networks become more and more open, Huawei R&D will continuously build secure, trustworthy, and high-quality products and solutions.