Huawei’s product security squad: stopping the breach before it happens
Cyber security threats are at an all-time high. As this trend is unlikely to reverse in the near future, sound procedures and processes for handling weaknesses are an imperative for our industry.
When analyst and self-labelled ‘computer security punk’ Andreas Lindh looked into vulnerabilities in 4G USB modems from the two market leaders, which include Huawei, he noticed one striking difference.
Recounting his experience of simulating a phishing attack on the modems at this year’s Black Hat Convention in Las Vegas, he explained that while he did find a weak spot in both, what made the difference was the company’s ways of dealing with this information. Huawei got the issue fixed – quickly and comprehensively, along the entire product line.
This difference has a name: it is called a Product Security Incident Response Team (PSIRT), and it is one of the key elements of Huawei’s end-to-end approach to cyber security. These rapid response units manage the receipt, investigation, coordination and disclosure of security vulnerability information related to our products and solutions.
Around the clock
As soon as a suspected vulnerability has been notified, the PSIRT is called into action. A response is sent to the notifier within 24 hours, and urgent action is taken to mitigate risks early on.
After analysis, verification and severity evaluation, the team investigates all possible affected products in two dimensions (horizontal and vertical) and provides a new version, a patch or a workaround to prevent the vulnerability from being exploited and harming our customers.
Huawei PSIRT gathers all relevant information and brings all teams across the product line on board to provide a remediation for the vulnerability as quickly as possible. Information on detected vulnerabilities, impact and available fixes is published online.
Remember the ‘heartbleed’ bug scare? If you look through the security bulletins on the website, you will find detailed information on action undertaken, products concerned and available patches.
Proactivity is key
Huawei encourages security researchers, industry organisations, government agencies and vendors to proactively contact Huawei PSIRT about any potential product security vulnerabilities. The website provides encryption for sending sensitive information.
Huawei has adopted a responsible disclosure policy with vendors, Computer Emergency Response Team (CERT) organisations and security researchers. We actively participate in industry security organisations and forums to help in building a harmonious network.
As a member of the global Forum of Incident Response and Security Teams (FIRST), bringing together incident response teams around the world, we contribute to information exchange and cooperation on issues of mutual interest, such as new vulnerabilities or wide-ranging attacks.
At Huawei, we take the approach that cyber security needs to be ‘built-in’ rather than ‘bolt-on’. This involves building security into every single aspect of our company.
From strategy and governance to standards, processes, manufacturing, third-party management, delivery, human resources and audit, every part of Huawei, and every person, is included in our 11-step cyber security system.
This end-to-end approach, outlined in a series of White Papers, is constantly being updated to keep step with an evolving threat landscape.
As part of this system, Huawei PSIRT is a key element of measures addressing defect and vulnerability resolution. It is integrated in our issue-to-resolution process, which provides a closed-loop framework for receiving, analysing and resolving problems encountered by customers, security-related or not.