How Intel is building a culture around security 3 years after Meltdown and Spectre

In the three years since Intel was the center of a firestorm over vulnerabilities in its chips, the company has been making a concerted effort to reinforce its internal approach to security. This includes everything from centralizing its security operations to fostering more collaboration with partners and the research community.

Security has always played a role in Intel’s products, but that focus has intensified as the security landscape grows increasingly complex and dangerous. In an interview with VentureBeat, Intel fellow and product assurance and security VP Martin Dixon said the company has worked to lay a solid foundation from which to tackle emerging challenges.

“I firmly believe that you can’t have secure products without having a culture around security,” Dixon said. “We continue to evolve our security within the company.”

In early January 2018, researchers revealed the existence of two fundamental bugs in Intel chips, dubbed Meltdown and Spectre. Given Intel’s prominence in a vast array of computing devices, the disclosures prompted an industrywide scramble to introduce patches and updates to address the vulnerabilities.

The incident was a black eye to Intel’s reputation, and the company was forced to rethink security from top to bottom.

Dixon has played a key role in those efforts. In our interview, and in a blog post that went live today, he shared the broad strokes of Intel’s progress.

“My team was founded to pull together a bunch of the security resources within the company to make sure that we feed those learnings forward,” Dixon said. “After Spectre and Meltdown, one of our big learnings was we pulled together a ton of groups to discuss vulnerabilities and figure out how to mitigate them, not only in Intel products but in everyone’s products out there.”

Internally, those efforts have included organizing security engineers from across the company so there is more central coordination. That means discussions around potential security issues in products, but also creating a greater sense of security’s prominence throughout the company.

“I’m fond of saying that the most secure a computer system can ever be is when the power is off,” Dixon said. “Once you turn the power on, trust only goes downwards. And so one of the big things that I focus our team on is foundational security. The idea here is that when you turn that platform on, when you power it up, how are you making it more secure? How are you making sure that everything that you load is what you expected?”

Dixon noted that the company has organized more than 100 internal security hackathons over the past year. That also led to a more robust bug bounty program.

“We firmly believe in coordinated vulnerability disclosure,” Dixon said. “We want to make sure that as things come in, we can get them mitigated at the same time as they are disclosed.”

Intel has also increased its work with academia to source additional vulnerabilities. And it’s investing more in work around standards, notably in areas like post-quantum computing security.

From that cultural foundation, Intel is focused on creating a strategy that rests on three pillars: foundational security, workload protection, and software reliability. Given Intel’s hardware competence, the company has been concentrating on embedding hooks that partners such as Microsoft can use to improve security.

Intel believes these efforts demonstrate its broad commitment to security since Meltdown and Spectre.

“It has raised the priority,” Dixon said. “It’s always been a priority for us. We’ve always had security architecture. We learned from our partnerships with Microsoft and with Cisco and with others how to build a security development lifecycle and then apply it to silicon, which is different than their software-based one. So it’s always been a priority, but it has evolved.”

Part of that evolution is tracking the shift to more decentralized computing with the rise of edge and 5G. As the value of data on devices and the cloud soars, it has motivated more sophisticated attacks that have a bigger surface to target.

“We are adapting to what our customers need and making sure that we’re providing security that they want,” Dixon said. “Security is only as strong as the weakest link.”


  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform
  • networking features, and more

Source: Read Full Article