Arm’s Product Security
“With the rising complexities in the cyber-threat landscape, it's clear that a robust approach to product security is critical to upholding the stability of the digital ecosystem. At Arm, we've taken this to heart. We've woven security into the fabric of our product development, starting with the Arm architecture through to the inception of a product's design to well after it hits the market. This is testament to how deeply we value not only the security of our own products, but also our partners and the wider ecosystem.”
Arm's Security Development Lifecycle
Embedding security into products throughout the development lifecycle is critical to reducing security risk. Arm has a diversity of products and has created customized methodologies to span design, development, and the verification of architecture, hardware, and software.
Arm ensures that engineers working on each product are trained in the customized SDL processes and provided with industry-leading tools to perform threat modeling and capture security requirements. Risk-reduction measures that cover design, verification, and documentation are applied throughout the product development lifecycle.
Arm's Product Security Incident Response Process
Arm’s Product Security Incident Response Team (PSIRT) follows a clearly defined process for product security vulnerability handling. All potential product security vulnerabilities are managed using a four-phase approach:
- Discover
- Analyze
- Resolve
- Communicate
Arm works with researchers, partners, and technology vendors to ensure security vulnerability information is shared in a manner that minimizes the risk of exploit. Coordinated vulnerability disclosure (CVD) practices are followed to help partners and consumers respond effectively when vulnerabilities are disclosed.
Arm has a dedicated vulnerability research team that collaborates with the PSIRT to analyze and address security incidents. This team also researches new areas of security to prevent future security vulnerabilities.
Head over to the security center on Arm Developer for more information on security notices and our product security incident response process.
Need to raise an incident about an Arm product? Please contact: psirt@arm.com
“At Arm, product security is an integral part of our culture. Our product security assurance capability provides the oversight so that security remains a priority throughout development and post-release. By adopting a data-driven approach, we continually refine our products and processes, positioning Arm at the cutting edge of security best practice”.
Security Community
Arm is a CVE Numbering Authority (CNA) for Arm-branded products and technologies and Arm-managed open-source projects. This status allows us to assign CVE IDs to newly discovered vulnerabilities within our jurisdiction, providing timely and structured information to the ecosystem.
Arm is a member of industry and academic communities that are advancing the state of the art in security. This includes working groups addressing hardware, software, and systems security, including within the IEEE, IETF, and MITRE. These memberships help Arm to collaborate with a global network of security experts, share knowledge, and adopt best practices to ensure our products are developed with the highest security standards, while also giving back to the wider community.
Richard Wilson, Head of Quality
“At Arm, our commitment to quality and product security is integral to our product development lifecycle. Arm’s quality policy states our commitment to meeting partners’ security requirements by continually improving our products and services to meet expectations. Our ISO 9001 quality certification encompasses product security, demonstrating our relentless pursuit of excellence.”
