Intel Product Security Report highlights continued security assurance investments
Intel Security today released its 2022 Product Security Report, highlighting its continued security assurance investments and a year-in-review of the vulnerabilities and mitigations that it uncovered over the last year.
The headline finding in the report is that 93% of the vulnerabilities addressed by Intel in 2022 directly resulted from Intel’s investment in product security assurance. Some 137 or 56% of common vulnerabilities and exposures or CVEs of the 243 published by Intel in 2022 were discovered internally by Intel employees.
Since its first product security report in 2019, an average of 93% of all CVEs published were the direct result of Intel’s investment in product security assurance. Of 106 vulnerabilities reported by external researchers in 2022, 90, or 85%, were reported through Intel’s bug bounty program.
Intel said much of the success in uncovering vulnerabilities is thanks to the Intel Security Development Lifecycle that guides the company in applying privacy and security practices across hardware and software, including firmware, throughout the product lifecycle.
The lifecycle starts with planning and assessment, identifying the SDL activities needed through development to address the products expected security risks. The second step involves architecture and developing a threat model that drives appropriate security requirements and objectives. In the design phase, security and privacy analysis is undertaken based on security objectives, threats and requirements.
The fourth stage, implementation, involves continuously evaluating progress to ensure implementation is on track to deliver a trustworthy product. Security validation, the fifth step, involves verifying that the product meets all stated security requirements, leading to the final step, release and post-deployment, including release testing and post-release product support.
Intel also runs “Security Hack-a-Thons” that allow employees to learn to think like hackers. Employees receive ongoing training and hands-on experience through scheduled events that bring product experts together with security experts. Intel conducted 118 HaT events in 2022. Its security research teams now span 10 countries and 80 researchers.
“The security of our products is one of our most important priorities,” Intel Chief Executive Pat Gelsinger said in the report. “We strive to design, manufacture and sell the world’s most secure technology products, and we are continuously innovating and enhancing security capabilities for our products.”