Huawei R&D focuses heavily on security throughout product development, adhering to the principle of security by design and security in process. Cyber security activities built into the process are performed in strict compliance throughout the entire product lifecycle, so that security requirements can be implemented in each phase.
Huawei R&D provides the Integrated Product Development (IPD) process to guide E2E product development. Since 2010, Huawei has started to build cyber security activities into the IPD process according to industry security practices and standards such as OWASP’s Software Assurance Maturity Model (OpenSAMM), Building Security In Maturity Model (BSIMM), Microsoft Security Development Lifecycle (SDL), and National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as well as cyber security requirements of customers and governments. Such activities include security requirements, design, development, test, release, and vulnerability management. Check points are used in the process to ensure that security activities are effectively implemented in product and solution development. This practice improves the robustness of products and solutions, enhances privacy protection, and ensures Huawei provides customers with secure products and solutions.
In the design phase, Huawei has extended the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) threat model to include the attack tree and privacy impact assessment (PIA) elements, calling this new model Advanced STRIDE (ASTRIDE). Huawei has also developed security design standards to guide engineers in security design, with reference to the best practices in the industry.
In the development phase, Huawei has developed its own secure coding standards with reference to the best practices of the industry’s secure coding standards of Computer Emergency Response Team (CERT), Common Weakness Enumeration (CWE), SysAdmin, Audit, Network, Security (SANS), and Open Web Application Security Project (OWASP), and continuously carried out security training and exams for coding personnel.
In the test phase, Huawei has designed test cases based on the threat modeling to verify the effectiveness of the threat mitigation measures designed. Huawei has adopted a “many eyes and many hands” security verification mechanism. In addition to security tests of product lines, Huawei established the Independent Cyber Security Lab (ICSL), which is independent of the R&D system, to be responsible for the final verification of products. Test results are directly reported to the Global Cyber Security & Privacy Officer (GSPO), who has veto power over product launch. Third-party testing and verification schemas are supported with the cooperation of customers and industry regulators.
In addition, measures are taken to enhance software security, for example, compiler security options are used in the build process, and security scanning is implemented before version release. The digital signature center grants each software program a digital signature, which can be used by customer engineers to verify the software integrity before software loading. This mechanism prevents software from being tampered with or replaced.
Huawei R&D has systematically made good progress in live network operations. The secure operation of hundreds of LTE networks over the past 10 years is evidence for product security assurance. The BSIMM assessments over the past 5 years show continuous improvements in Huawei’s security practices, ranking top among 120 ICT companies.
Huawei is committed to not only building confidentiality, integrity, availability, traceability and user privacy protection in 5G equipment based on the 3GPP security standards, but also collaborating with operators to build high cyber resilience in networks from the O&M perspective. Looking to the future, as cloud, digitization, and software-defined everything become more and more prevalent and networks become more and more open, Huawei R&D has initiated the transformation for enhancing software engineering capabilities to continuously build trustworthy, high-quality products and solutions.
This is a series of reports on Huawei’s 5G security white paper, which explains how Huawei works with the industry to ensure 5G security. This report is provided by Liu Pan, Cyber Security & Privacy Officer of Huawei Cambodia.