OCP Launches SAFE to Standardize Firmware Audits

In a bid to improve data center hardware and firmware security, the Open Compute Project announced the Security Appraisal Framework and Enablement (SAFE) program at OCP Summit event this week.

The program would provide an open source, standardized audit checklist and criteria for selecting third-party auditors to review device firmware. The idea is twofold: have the OCP community develop a device-specific audit checklist and criteria for auditor selection, and then have customers use the criteria to select auditors who use the checklist to verify firmware. The framework is intended to reduce costs and redundancy around device security reviews, according to the OCP.

"The OCP S.A.F.E Program defines and enforces a consistent framework for testing, validating, and assuring the security and integrity of devices at the very heart of today's cloud," said Gunter Ollmann, CTO at IOActive, one of the organizations currently enrolled as a security review provider for the program, in a statement. "Data center owners that have struggled to maintain and enforce their unique security requirements for hardware and firmware, and device vendors that have had to piece together a costly jigsaw of overlapping and inconsistent requirements across their many data center customers, can now align against a single consistent and stringent methodology delivered by an accredited and mutually trusted pool of security auditors."

At the moment, independent third-party audits of firmware are complicated because only a subset of customers ever see audit results. SAFE's objective is to allow device and system manufacturers to commission an OCP-approved security review provider to audit their firmware and then share the results with customers. With this framework, cloud providers and data center operators could increase the pace at which they receive, trust, and deploy critical firmware updates in their environments, according to the OCP.

While the program is a step in the right direction because it draws more attention to underserved areas in cybersecurity, such as firmware security, it might not be enough to impact the ecosystem because the focus is still on costly and slow audits, according to Alex Matrosov, founder and CEO of Binarly.

"I see a combination of the approaches we tried before, but unfortunately, it doesn't change much," he says.

It is not clear how the results of the SAFE audits will be visible in the long term and what type of impact it will create on the ecosystem.

"Relying heavily on manual code reviews is inherently limited in scalability and is deeply influenced by human factors," Matrosov says. "While introducing such workflows might guarantee steady work for code audit shops, I remain skeptical about their efficacy without the support of proper tooling and automation."

Binarly has disclosed more than 400 "high-impact vulnerabilities" during the year, and the timeline for fixing them remains very slow. For example, even after Binarly's joint disclosure with Qualcomm last January, Microsoft has not finished patching its ARM devices.

For things to change, the industry needs to emphasize "automation in vulnerability discovery, risk assessment, and prioritization," Matrosov says.