Secure Development Lifecycle for Firmware

Dick Wilkins, UEFI Forum
Thursday, October 17, 2019

 

One of your customers’ top demands is probably security. Because of this, it should be the primary consideration on the top of every developer’s mind. But without a standard approach to security, it is nearly impossible to meet this crucial customer need.

Secure Development Lifecycle Webinar

Platform firmware is increasingly coming under attack, and having secure firmware is a continuous concern. Some of the main advantages of implementing an SDL are early detection of flaws in the system and the associated cost reductions of this early detection and resolution of the issues found. Implementing an SDL simply helps reduce intrinsic business risks for an enterprise.

Our Secure Development Lifecycle for Firmware webinar aired on October 23, 2019. Panelists described best practices for creating a secure development lifecycle for implementation of more secure firmware and answered questions from the live audience. While firmware is software for your hardware, it operates in a different environment than most software, and can have a greater impact if it’s vulnerable. A secure development lifecycle can help combat these vulnerabilities and the associated challenges that follow an attack.

The SDL Process

A Secure Development Lifecycle (SDL) is a necessary process that should be implemented to standardize security best practices across products and applications. In the past, the common practice was to perform security-related activities only as a part of testing. This “after-the-fact” approach tended to result in many issues being discovered too late. This meant code needed to be re-written, which was costly in both time and money. Vulnerabilities can be detected early with an SDL, as security is built in through each step of the process. It’s simply adding beneficial security activities, such as developing a threat model and focusing testing on security, to an already-existing development process.

In a Secure Development Lifecycle, companies can utilize whatever methodology they normally use within their environment, whether it be waterfall, agile, or DevOps.

In the webinar we delved into the following points and gave attendees the opportunity to ask questions and get answers.

We covered:

  • Training your staff so your company can take advantage if in-house security expertise.
  • Creating secure designs by developing a threat model. We discussed the STRIDE model as a starting point.
  • Security conscious development for firmware.
  • Testing that focuses on security by applying targeted code reviews and using tests that focus on security, not just functionality. Testing firmware is different than software, and we dove into this as well.
  • How to respond to security issues by having a plan and teams identified to uncover root cause issues, develop and deploy fixes, inform customers and update tests.

We also briefly covered the UEFI Security Response Team and what it can do for you.    

View the slides from the presentation to follow along with the recorded presentation and follow the UEFI Forum on Twitter to learn about upcoming webinars.