OCP S.A.F.E. Update.pdf

1、A brief update on the S.A.F.E initiative since launch in October 2023 followed by a panel discussion.OCP S.A.F.E UpdateEric Eilertson,Security Architect,MicrosoftAlex Tzonkov,Security Architect,AMDAlfredo Pironti,Director,IO ActiveOCP S.A.F.E UpdateSecurity and Data ProtectionSECURITYStandardize Sec

2、urity Reviews from CSPs and hyperscalersRemove need for multi-party NDAsMove security reviews earlier into the development lifecycleEngage SRP early and oftenThe final review could be largely ceremonialSecurity Reviews become standard rhythm of businessS.A.F.E OverviewScope 1 Secure boot+FirmwarePro

3、per handling of critical security parametersInput validationMemory safetyStorage DevicesValidation of crypto erase and block overwriteScope 2 Designed for isolationROT/Security processor and memory isolated from application coresApplication cores and firmware provide isolation between processesScope

4、 3 Designed to withstand physical attacksArchitecture has mitigations for glitch and side channel attacksReview AreasTechnical Advisory CommitteeThordur Bjornsson GoogleEric Eilertson MicrosoftTim Pletcher HPEMichael Schneider IDA/CCSTAC will evaluate Security Review Provider applicationsTAC will ma

5、nage the framework,review areas,SRP criteriaSRP list from October 2023 LaunchAtredis,IO Active,NCC GroupTetrel Security added March 2024S.A.F.E.Programmatic UpdateUpcoming LegistationNational-Cybersecurity-Strategy-2023.pdf(whitehouse.gov)Outlines administrations proposed strategy to address emergin

6、g cybersecurity threats.Section 3.3:shift liability for insecure software products and services.https:/www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdfCTO of software provider is accountable for software delivered.European Commission Cyber Resilience ActCyber Resilience

7、Act|Shaping Europes digital future(europa.eu)Proposes Cyber security conformance assessments.Penalties for non-conformancePotential Challenge:Recurring audits impact device costs and schedulesEarly Adopters Experience with S.A.F.E.OCP Value Prop for AMD as Device Vendor:Before OCP S.A.F.E.:Multiple

8、custom audits for the same deviceSimilar audit outcomes,multiple customer dialogsWith OCP S.A.F.E.:S.A.F.E.audit scope,eliminates multiple audits&dialogs Enhances security transparency via Short Form Report(SFR)S.A.F.E.audit scope levels integrate well with AMDs SDLCall to ActionDevice VendorLook ov

9、er the security review areas and prepare for your first security reviewIs your preferred security review firm endorsed as a S.A.F.E.review provider?If not encourage them to apply!Security Review ProviderLook over the review areas,is there anything missing?Apply to become a S.A.F.E.review providerhttps:/www.opencompute.org/projects/ocp-safe-programhttps:/ Discussion