Whitepaper
Stratus Product Security
An overview of Stratus’s Security Programs and Practices
Abstract
As part of a comprehensive security strategy, Stratus manages and executes programs and practices to ensure the development of secure products and drive security awareness across its enterprise. Established oversight procedures help Stratus identify and mitigate product security risks both during and after product development. The purpose of this paper is to explain Stratus’s Secure Development Lifecycle program— the comprehensive and rigorous product security assurance processes that help it address potential vulnerabilities and ensure product integrity.
Stratus takes security seriously
Stratus has a rich security heritage
For nearly 40 years, Stratus has been providing computing infrastructure for enterprises that need highly reliable, secure, and manageable platforms to power their most mission-critical data center workloads. Today, Stratus solutions are used by over half of the global Fortune 100, to safely process $8.6T in credit card transactions, produce 200M tons of food and drink, and transport 1.5B airline passengers annually.
Edge computing infrastructure must be secure
More and more, Stratus solutions are being deployed at the edge of corporate networks. Stratus’s simple, protected, and autonomous computing platforms are increasingly being sought out to run critical edge applications, in locations lacking environmental controls and/or technology resources.
The emergence of IoT (Internet of Things), and the convergence of IT (information technology) and OT (operational technology), are exposing previously “isolated” OT edge networks to new and existing IT security vulnerabilities. Furthermore, these OT networks are not easily secured using traditional IT security measures and tools.
Security is important at Stratus
Ensuring the security of customers’ computing platforms— from the data center to the edge—is of utmost importance to Stratus. Many of its customers operate in heavily regulated industries and use its edge computing platforms for critical national infrastructure. As such, reducing viable attack vectors, and creating products with layers that support defense-in-depth approaches, are important elements to reduce risk. To better protect its customers and partners, Stratus follows a comprehensive security strategy, including leveraging security industry best practices, designing and building products with security in mind, responding rapidly to known security vulnerabilities and threats, and continually evaluating its current stance and making improvements to enhance its security posture.
Stratus follows security industry best practices
Stratus follows recognized security industry best practices when designing and building products (secure process) and making them more secure (secure product). A formal SDL (secure development lifecycle) program that incorporates ISA, NIST, and OWASP guidelines helps Stratus identify and mitigate security risks. Partnering with organizations like OPAF helps it leverage the resources of the broader security community to maximize product security.
It starts with the ISA
The International Society of Automation (ISA) is a non-profit professional association founded in 1945. The organization develops and maintains widely used global standards, including security standards for industrial automation and control systems. Stratus primarily follows two ISA guidelines that have also been adopted by the International Electrotechnical Commission (IEC) to consider security from both a process and product perspective.
Security Process
ISA/IEC 62443-4-1
ISA/IEC 62443-4-1 specifies process requirements for the secure development of products used in industrial automation and control systems. Stratus follows these ISA guidelines in securely developing its own products. The guidelines define a secure development lifecycle for the purpose of developing and maintaining secure products, including the following:
- security requirements definition
- secure design
- secure implementation (including coding guidelines)
- verification and validation
- defect management
- patch management
- product end-of-life
NIST SP 800-37
Now part of the US Department of Commerce, the National Institute of Standards and Technology (NIST) is a government organization that establishes and oversees technologies, measurements, and standards designed to help promote industrial competitiveness. NIST Special Publication 800-37 (SP 800-37) provides guidelines for applying their Risk Management Framework to federal information systems. Stratus developers leverage these supplemental guidelines during the development of its software products, like Stratus Redundant Linux, everRun, and VOS.
Product Security
ISA/IEC 62443-4-2
Stratus also uses ISA functional requirements to help define which security features to incorporate into its products. ISA/IEC 62443-4-2 details technical component requirements (CRs) associated with seven foundational requirements (FRs) for meeting control system capability security levels. The seven foundational requirements are:
- identification and authentication control
- use control
- system integrity
- data confidentiality
- restricted data flow
- timely response to events
- resource availability
For example, Stratus products like ztC Edge and everRun leverage access control lists, roles, and passwords, for least privilege identification, authentication, and use control. System integrity in ztC Edge is ensured with secure and trusted boot. Both ftServer and ztC Edge use secure communication protocols such as HTTPS, SSH and SMTP with encryption to ensure data confidentiality. Alert logs notify administrators immediately of configuration changes in Stratus products that might be indicative of security incidents. Resource availability is also a hallmark of all Stratus products, which offer high availability and fault tolerance to provide resilience against various types of denial of service events and continuity of business critical services.
FIPS 140-2
Federal Information Processing Standard 140-2 (FIPS 140-2) is another NIST standard maintained jointly by their Computer Security Division (CSD) and Applied Cybersecurity Division (ACD). It specifies the security requirements that would be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments.
Stratus uses FIPS 140-2 cryptography and data security design principles to inform its product security requirements. For example, current Stratus products use OpenSSL 1.0.2k-fips and TLS v1.2 for web services. ztC Edge’s web server for providing console access complies with FIPS 140-2 algorithms by default.
OWASP
The Open Web Application Security Project (OWASP) is a nonprofit foundation whose purpose is to improve the security of software. Stratus leverages the foundation’s methodologies, documentation, tools, and technologies to improve the security.
Stratus designs and builds its products with security in mind
Stratus has established programs and practices that identify and mitigate security risks during its product development process. A product security team within Stratus’s Engineering group is responsible for developing and driving security initiatives across the company and fostering a security conscious culture. This team is responsible for Stratus’s SDL program, security incident response efforts, and security certifications.
Stratus’s SDL is a closed loop security assurance program that helps Stratus engineers securely develop secure products. Its primary objective is to reduce the number and severity of vulnerabilities in its products, both under development and deployed. It accomplishes this by infusing security into every aspect of its products’ lifecycles and agile development culture, including up-front training, requirements gathering, design, implementation, verification, release, and post-release response.
In addition to leveraging the security industry best practices, guidelines, standards, and tools provided by the ISA, NIST, and OWASP, Stratus incorporates additional security practices throughout each SDL program phase to mitigate security risk.
Training
Stratus engineers receive security training on a regular basis, keeping current on security trends and the industry’s evolving threat landscape, in order to help minimize the introduction of security issues into its development process and products. Stratus’s security team manages and maintains role-based and technology specific security curricula, periodically updating it. Currently, there are courses in security concepts, security design and testing, security coding techniques, and security tools.
Requirements gathering
During the requirements gathering and planning phases, the product’s initial security profile is evaluated. This is the first of several milestones where the product’s security profile is compared against a set of known security requirements. These requirements may come from product owners as customers’ requests, or from industry standards, but they are vetted and maintained by the security team. Currently, they include standards for things like authentication, authorization, encryption, certificate management, network security, virtualization, accountability, and software packaging and delivery. In addition, there are higher level security requirements, for items like securing sensitive data, malicious code prevention, and attack surface reduction.
Design
During a product’s design phase, a parallel activity takes place to identify and remediate security issues before release. A threat model, or architectural drawing which identifies potential vulnerabilities, system flaws, and incorrect design assumptions is drafted. By performing this activity early in the development process, development teams have adequate time to address any design-related security issues.
Implementation
During this phase, development teams use automated tools to detect defects, including security-related flaws. SAST (static application security testing) is utilized to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. Vulnerability scanning is also performed at this stage.
In addition, the security team employs secure sourcing. It documents the names and release levels of all OSS (open source software) and TPS (third party software) incorporated into its products, inspecting them for known vulnerabilities. Security assessments of vendor hardware and software are performed to ensure that Stratus is receiving secure products that are developed to industry standards, in order to mitigate the risk of security issues being passed down to its customers.
Verification
During this lifecycle phase, development teams use automated tools to scan software products for security vulnerabilities in computing systems that are running in a network, to determine if there are specific ways the system can be threaten or exploited. In addition, penetration testing may be performed to determine if a malicious intruder can successfully attack the product or solution. These tests are conducted in isolated, test environments, and can include product architecture and source code reviews, and utilize various commercial or internal vulnerability detection tools.
Also, a final security review is performed during this stage, to verify whether the product has gone through all SDL program activities, and any issues raised in prior security reviews have been addressed. This final security review is completed before any RC (release candidate) milestones are met.
Release and post-release response
Products that are GA (generally available) enter the production phase of their product lifecycle. They remain in this phase until their EOL (end of life). Stratus’s Product Security Incident Response Team (PSIRT), a subset of the security team, is responsible for monitoring the technology landscape for any reports of security issues concerning Stratus products. A global team, one of its roles is to investigate reported vulnerabilities, and provide information internally to the appropriate teams. Another role that it plays is to be the Stratus point of contact ([email protected]) for security researchers, customers, partners, and other external parties reporting vulnerabilities in Stratus products.
Stratus quickly responds to security vulnerabilities and threats
When PSIRT detects or receives a report of an issue with a Stratus product, PSIRT works with Stratus development teams to investigate the issue. PSIRT continues to coordinate the remediation and communication internally and externally of the issue with the appropriate product and support teams. In addition, PSIRT is responsible for communicating and distributing all security advisories, and maintaining a record of them on Stratus’s website.
Stratus, together with other technology vendors and government organizations (e.g. Intel, AMD, IBM, Microsoft, Red Hat, Google, Facebook, Amazon, MITRE, CISA, etc.), belong to a security coalition that continually identifies, qualifies, and publishes information about known security vulnerabilities. When coalition members are alerted to a potential vulnerability, work begins to qualify and diagnose the issue. Information is shared among coalition members, and members collaborate to create a fix. Eventually, Stratus creates a security patch, which is then distributed by PSIRT to its customers and partners.
Stratus continually evaluates and improves its security posture
Stratus’s SDL program is periodically assessed for its ability to identify and mitigate risks, and new processes and tools are added to the program as they mature and are qualified.
In addition, Stratus’s agile methodology includes automated processes for security testing that match the type and level of vulnerability for each development stage. An integrated DevSecOps approach helps ensure security is incorporated into Stratus’s rapid and frequent product development cycles, where lessons learned from earlier cycles can quickly be applied to future ones.
For more information
For more information, or to report a vulnerability, please contact Stratus’s PSIRT at [email protected]. For more information about Stratus’s security advisories, please visit support.stratus.com. For more information about how Stratus ensures the security of its products, please visit stratus.com/security or stratus.com.
References
- International Society of Automation (ISA): isa.org
- International Electrotechnical Commission (IEC): iec.ch
- National Institute of Standards and Technology (NIST): nist.gov
- Open Web Application Security Project (OWASP): owasp.org
- Open Process Automation Forum (OPAF): opengroup.org/forum/open-process-automation-forum
- Cybersecurity and Infrastructure Security Agency (CISA): us-cert.gov
