I am not sure if you noticed or not, but 2020 was a strange year. The COVID-19 pandemic completely disrupted the business model for most companies and forced an acceleration in digital transformation—even for companies who weren’t planning on, or prepared for, it. The net result is that there were a variety of repercussions from a technology and cybersecurity perspective—which makes the 2020 Product Security Report from Intel that much more relevant and interesting.
The report opens with this statement from Intel: “Security doesn’t just happen. It’s the result of unwavering focus that guides everything we do to research, architect, build, and support products customers can trust.”
This quote underlines Intel’s perspective: It takes its role as a leader in cybersecurity very seriously. The company understands that Intel provides the foundation for much of the technology that organizations and individuals depend on and that it’s important to ensure that it is as secure and free of bugs as possible. The fact that this report exists at all is evidence of the value and attention that Intel pays to security and transparency.
One of the strengths of Intel’s approach to security is that they don’t just do it behind closed doors and expect everyone to take their word for it. They are transparent about their efforts to mitigate security vulnerabilities. Not only do they involve the broader security researcher community, but they are also vigilant internally. This combination helps to ensure visibility and involves as many experts as possible to find and resolve issues quickly.
To illustrate this point, take a look at the key findings cited in the 2020 report:
- 92% of vulnerabilities addressed were a direct result of Intel’s investment in product security assurance
- Nearly half (109 out of 231 total CVEs) published were discovered internally by Intel employees
- 105 of the 231 CVEs (45%) were reported from external researchers through the Intel Bug Bounty Program
- Approximately 7 out of 10 firmware vulnerabilities were found internally by Intel
- More than 80% of software issues (device drivers and software utilities) were discovered by external researchers
Perhaps the most relevant and important finding, though, is that zero—nada, zilch, none—of the 231 vulnerabilities addressed by Intel in 2020 are known to have been used in actual attacks. It’s a testament to the value of being proactive and investing in research to discover and address flaws before attackers find them and figure out how to exploit them.
That is just one element of the Intel Product Security Assurance initiative, though. The report also outlines other aspects, such as:
Security Development Lifecycle
The Intel SDL is a set of processes that drive the adoption of security principles and privacy tenets into product development. The goal is to ensure that security is considered at all stages and that controls and protections are woven throughout development rather than tacked on after the fact. This also includes Intel’s Security and Product Assurance efforts and the Intel Big Bounty Program to proactively identify and resolve any issues that are found.
Compute Lifecycle Assurance
As the SolarWinds / Sunburst attacks demonstrated, it’s crucial to protect against supply chain attacks. Intel addresses platform integrity throughout the lifecycle of service with Compute Lifecycle Assurance (CLA). CLA helps enable transparency and assurance spanning a system’s lifecycle, as well as its supply chain, to help improve platform integrity, resilience and security.
In the report, you will also find details on offensive security research, industry initiatives that Intel is driving or participating in, the Intel Bug Bounty Program, and more.
For more about the Intel 2020 Product Security Report, you can check out this blog post from Jerry Bryant, Senior Director of Security Communications and Incident Response for Intel. You can also view the full report for yourself here: 2020 Product Security Report.