Arm's Systematic Approach to Product Security
Securing the world’s data is one of the greatest technology challenges facing the next decade of compute. Security is a vital requirement for everything Arm does, and product security is one of the key quality metrics for products delivered to partners and the wider ecosystem.
Our approach can be represented by the following areas:
Arm prioritizes security measures by incorporating security processes at every stage of product creation using our tailored Security Development Lifecycle (SDL). This enables us to identify and mitigate potential risks before they reach a released product.
Arm’s product security extends beyond the development phase. Our Product Security Incident Response Team (PSIRT) continually monitors our products for potential weaknesses and manages both the resolution and the responsible disclosure of vulnerabilities to our partners and the ecosystem.
Our product security assurance function drives continuous improvement of our SDL and Incident Response processes and provides independent assurance of the effectiveness of Arm's product security processes.
We actively work with partners, organizations, and universities to stay at the forefront of best practices and vulnerability research. This collaboration and knowledge sharing enhances our ability to anticipate emerging threats and implement effective security strategies.
Arm’s Product Security
“With the rising complexities in the cyber-threat landscape, it's clear that a robust approach to product security is critical to upholding the stability of the digital ecosystem. At Arm, we've taken this to heart. We've woven security into the fabric of our product development, starting with the Arm architecture through to the inception of a product's design to well after it hits the market. This is testament to how deeply we value not only the security of our own products, but also our partners and the wider ecosystem.”
Arm's Security Development Lifecycle
Embedding security into products throughout the development lifecycle is critical to reducing security risk. Arm has a diversity of products and has created customized methodologies to span design, development, and the verification of architecture, hardware, and software.
Arm ensures that engineers working on each product are trained in the customized SDL processes and provided with industry-leading tools to perform threat modeling and capture security requirements. Risk-reduction measures that cover design, verification, and documentation are applied throughout the product development lifecycle.
Arm's Product Security Incident Response Process
Arm’s Product Security Incident Response Team (PSIRT) follows a clearly defined process for product security vulnerability handling. All potential product security vulnerabilities are managed using a four-phase approach:
Arm works with researchers, partners, and technology vendors to ensure security vulnerability information is shared in a manner that minimizes the risk of exploit. Coordinated vulnerability disclosure (CVD) practices are followed to help partners and consumers respond effectively when vulnerabilities are disclosed.
Arm has a dedicated vulnerability research team that collaborates with the PSIRT to analyze and address security incidents. This team also researches new areas of security to prevent future security vulnerabilities.
Head over to the security center on Arm Developer for more information on security notices and our product security incident response process.
Need to raise an incident about an Arm product? Please contact: email@example.com
“At Arm, product security is an integral part of our culture. Our product security assurance capability provides the oversight so that security remains a priority throughout development and post-release. By adopting a data-driven approach, we continually refine our products and processes, positioning Arm at the cutting edge of security best practice”.
Arm is a CVE Numbering Authority (CNA) for Arm-branded products and technologies and Arm-managed open-source projects. This status allows us to assign CVE IDs to newly discovered vulnerabilities within our jurisdiction, providing timely and structured information to the ecosystem.
Arm is a member of industry and academic communities that are advancing the state of the art in security. This includes working groups addressing hardware, software, and systems security, including within the IEEE, IETF, and MITRE. These memberships help Arm to collaborate with a global network of security experts, share knowledge, and adopt best practices to ensure our products are developed with the highest security standards, while also giving back to the wider community.
Richard Wilson, Head of Quality
“At Arm, our commitment to quality and product security is integral to our product development lifecycle. Arm’s quality policy states our commitment to meeting partners’ security requirements by continually improving our products and services to meet expectations. Our ISO 9001 quality certification encompasses product security, demonstrating our relentless pursuit of excellence.”