OCP SAFE 更新.pdf

1、Eric EilertsonNick HummelJasper van WoudenbergIlja van SprundelOCP S.A.F.E.UpdatesOCP S.A.F.E.UpdatesEric EilertsonNick HummelJasper van WoudenbergIlja van SprundelOCP S.A.F.E.Speaker IntroductionAbout S.A.F.E.Introduction to the programCurrent work in progressTODO(Jasper):Add your topic hereTODO(Il

2、ja):Add your topic hereAgendaSpeaker introductionEric EilertsonOCP S.A.F.E.LeadMicrosoftNick HummelOCP S.A.F.E.LeadGoogleJasper van WoudenbergOCP S.A.F.E.SRPRiscureIlja van SprundelOCP S.A.F.E.SRPIOActiveSecurity Appraisal Framework and EnablementAbout S.A.F.E.Each customer wishing to purchase a dev

3、ice needs to find and vet a suitable security review providerDevice vendors needs to collaborate with several independent SRPs/customers providing duplicate informationCollaborating with small customers is not worth the effort for vendorsTraditional modelSRP BVendorCustomer ACustomer CCustomer BSRP

4、ASRP CS.A.F.E.standardizes security audits of HW/FW,especially datacenter server components,like CPUs,GPUs,SSDs,NICsCustomers share one review,saving costsVendors only need to work with one SRP,saving effortVendors are incentivized to provide high quality continuous reviews as there are many custome

5、rsNew model under OCP S.A.F.E.VendorCustomer ACustomer CCustomer BSRPPrograms like FIPS provide specific checklists that need to be fulfilledThis leads to focus on ticking boxes rather than holistically considering securityS.A.F.E.instead focuses on strictly vetting SRPs and giving them sufficient f

6、reedom to assess security comprehensivelyWe do not expect expect perfectly clean reports when purchasing productsDifference to certification programsWe are planning updates to the short-form report formatUse CoRIM format and make it easier to consume by industry standard verifiers,especially Veraiso