Security Statement

TECHNOLOGY BRIEF
Security Statement
Overview:
Extreme Networks has a rich history as a pioneer in the computer networking
market and today our portfolio includes robust wired/wireless network
infrastructure, visibility, and security software solutions. Many of the technology
underpinnings in Extreme Networks products are patented, which allows us to
deliver market leading, built-in automation, visibility and control capabilities to
solve critical customer networking and mobility challenges.
Extreme Networks products are designed to provide our customers with Secure
Networks by providing network administrators the fine-grained visibility and
control of users and applications through our highly programmable control plane
in combination with our secure Policy infrastructure components. Security is
always top of mind for our customers, especially those who utilize their network
infrastructure to transport and manage business critical applications and
processes. In addition to our Secure Networks focus, real-world experience has
shown that having a security-focused development process is the most effective
way to improve overall product security.
This document describes the Extreme Networks Secure Development Process
(ENSDP), our process is designed to identify and mitigate the risk of security
vulnerabilities and improve the security and resiliency of products Extreme
Networks produces.
The ENSDP approach strives to reduce the number and severity of vulnerabilities
in firmware and software provided by Extreme Networks. ENSDP provides
a security focus throughout all phases of the development process and is
applicable to all programming languages, operating systems, and individual
development efforts that are conducted by the company.
Each phase of the process includes security-focused activities that provide
some degree of security benefit if implemented on a standalone basis. However,
industry experience as well as Extreme Networks’ own experience has shown
that security activities executed as part of a development process lead to greater
Risk
Assessment
Functional
Security
Security
Response
Monitoring
Pl
an
ni
ng
Threat
Models
Design
Security
Life Cycle
3rd Party
SWStatic
Analysis
Security
Fuzz
Customers
Compliance Penetration
Industry
Security
Cert
Review
Re
le
as
e
Impl
eme
ntati
on
Enga
gem
ent
ents
irem
u
q
Re
n
tio
ida
l
a
V
Virtual Switching – Technology Brief
1
security gains than activities implemented piecemeal or in an ad-hoc fashion.
These security-focused activities, including, Static Analysis, Active Scanning, and
comprehensive security-based testing are ingrained into the Extreme Networks
development process/lifecycle.
ENSDP is a constantly evolving methodology that is enhanced over time to
incorporate new security-focused activities. Security risks are not static and as such
Extreme Networks regularly attends security-focused conferences and training.
In addition, Extreme Networks also monitors industry security information data
sources such as CERT, the full-disclosure mailing list, and various authoritative CVE
announcements for vulnerabilities that could potentially apply to our products. In
all cases, the knowledge gained is transferred to the respective development teams
throughout the company and enhances our ability to react appropriately to the
ongoing changes in the threat landscape.
Requirements Phase:
Product Management drives the requirement definition for new features and
releases. These requirements come from customers, support engineers, sales, market
analysis and innovation. The need to consider security “up front” is a fundamental
aspect of secure system development. The best time to define security-focused
requirements for a project is during the initial requirements stage. In addition to the
internal secure development requirements, external security requirements, such as
compliance with industry and government certifications are identified. Security and
compliance experts review and refine the external security requirements to ensure the
development team is fully engaged. Early definition of security requirements affords
development teams the time to identify key milestones and deliverables. This early
definition is a key component to minimizing disruptions to plans and schedules as we
progress through the process.
Planning Phase:
It is extremely important to consider security and its relative components carefully
during the planning phase. In this phase, the development team defines the design
and functionality of the system including the identification of functional security
requirements. The Quality Assurance team collaborates with the design team to
create a test plan for each requirement, from a functional, security, operational
and performance perspective. Test-driven development practices are followed
when practical to ensure success. Prior to moving to the implementation phase,
the design is reviewed by a cross-functional team from a security, simplicity and
feasibility perspective to gain approval. Mitigation of security issues is much
less costly when performed during the beginning stages of a project. Each
project team strives to avoid “adding on” security features and mitigation as an
afterthought near the end of development.
Implementation Phase:
In the Implementation phase, the development team will code solutions that
meet the product requirements. Mature coding standards and best-practices
are followed with code changes being unit-tested to help identify and reduce
security-related vulnerabilities in the system prior to delivering to QA for
integration testing. All third-party libraries are analyzed by the Configuration
Management team before being sanctioned for use in the system. As part of
the third party monitoring Extreme Networks utilizes auditing tools to identify
Virtual Switching – Technology Brief
2
new libraries added to the build environment to ensure the latest and most
secure versions are being used. Additionally, static code analysis is performed
as a security code review on each build to help detect and eliminate security
vulnerabilities from the code.
Validation Phase:
Product validation begins long before coding is complete. Quality Assurance will
begin executing test plans as soon as features are available in an effort to identify
vulnerabilities as early as possible in this phase. As part of this process, the
security-related feature/functions integrated in the prior phases will be verified.
Quality Assurance performs regression tests (if appropriate), interoperability tests
and penetration testing using industry-leading penetration testing and scanning
tools. Prior to general availability, several iterations of tests may be performed.
Comprehensive upgrade testing is performed (if applicable) and long-term stress
testing with load generators and penetration testing tools is executed.
Release Phase:
Once the product has been thoroughly validated, the product release readiness
is evaluated before it is officially released to customers. If it is determined during
the readiness review that a product has not passed the required security tests, the
product will not be released.
Engagement Phase:
ENS-DP and the respective development teams strive to deliver a high level of
security within our products as they are delivered to market. Unfortunately with
the evolving threat landscape not all security vulnerabilities will be eliminated
from the products. Extreme Networks drives continuous improvement by actively
testing and verifying our products even after they have been released. As updates
are available to our penetration testing and scanning tools, all supported versions
of our products are retested. Any newly found vulnerability will be evaluated
immediately and a mitigation or patch plan will be executed. When such a
vulnerability is found, we follow a process by which high severity vulnerabilities
(such as the ShellShock bug in the bash shell from late 2014) are prioritized over
lower severity vulnerabilities. The severity itself is derived from the Common
Vulnerability Scoring System (CVSS) score, which provides the most widely
accepted measure for vulnerability severity. For applicable vulnerabilities, we
provide feedback to CERT to keep them updated on the status of our findings.
Summary:
Extreme Networks’ focus on security and our Secure Networks Development
Process has proven to be effective in preventing security vulnerabilities and
improving overall product quality. Our ENS-DP ensures security ingrained into
the products from inception, which translates into lower risk for both Extreme
Networks and our valued customers. Taken together, the security of Extreme
Networks products is maintained and verified. For all enquiries about our security
processes, contact GTAC.
http://www.extremenetworks.com/contact
Phone +1-408-579-2800
©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc.
in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks
please see http://www.extremenetworks.com/company/legal/trademarks/. Specifications and product availability are subject to change without notice. 9573-041521
WWW.EXTREMENETWORKS.COM
Virtual Switching – Technology Brief
3