October 18, 2023 at 03:56PM
The Open Compute Project has introduced the Security Appraisal Framework and Enablement (SAFE) program, aimed at improving data center hardware and firmware security. It provides an open-source audit checklist and criteria for selecting third-party auditors to review device firmware. The program aims to reduce costs and redundancy in device security reviews, allowing customers to select auditors who use the checklist. While the program is a step in the right direction, some experts believe it may not have a significant impact due to the focus still being on costly and slow audits. Emphasizing automation in vulnerability discovery and risk assessment is needed for real change, according to cybersecurity expert Alex Matrosov.
The Open Compute Project (OCP) announced the Security Appraisal Framework and Enablement (SAFE) program at the OCP Summit event this week. This program aims to improve data center hardware and firmware security by providing an open-source, standardized checklist for device firmware audits. The goal is for customers to use this checklist to select auditors who will verify firmware based on OCP’s criteria. The framework is intended to reduce costs and redundancy in device security reviews.
The SAFE program defines and enforces a consistent methodology for testing, validating, and assuring the security and integrity of devices in the cloud. It allows data center owners and device vendors to align against a single stringent methodology delivered by accredited security auditors. This framework will enable cloud providers and data center operators to receive and deploy critical firmware updates more quickly and with increased trust.
While the SAFE program is a step in the right direction for addressing firmware security, some concerns have been raised. For example, independent third-party audits of firmware are currently complicated and lack visibility, as only a subset of customers see the audit results. Additionally, critics argue that the focus on costly and slow audits might not have a significant impact on the ecosystem. They suggest that the industry should prioritize automation in vulnerability discovery, risk assessment, and prioritization to drive more effective change.
Overall, the SAFE program is expected to draw attention to underserved areas in cybersecurity, but its long-term impact on the ecosystem and the visibility of audit results remain unclear.