Professional Documents
Culture Documents
2023
Huawei Vulnerability Management White Paper Huawei Vulnerability Management White Paper
Contents
1 Introduction 03
Practice 08
5 Summary 13
01 02
Huawei Vulnerability Management White Paper Huawei Vulnerability Management White Paper
Over the past few years, the number of cyberspace security threats has shot up dramati- Figure 3-1 Collaboration in vulnerability management
cally. Such threats — which can cause major losses — include cyber ransomware and
supply chain security incidents. Vulnerability exploitation remains one of the main causes Coordination organization
The maturity of businesses' vulnerability management directly reflects their digital gover- ...
Vendor N
nance levels and software engineering capabilities — it is also closely linked to sustain- Operator N
Open source
able business development. Businesses must collaborate with stakeholders to continu- community N
ously manage vulnerabilities. Failure to do so may result in system breakdown, informa- Vulnerability
tion leakage, and other risks, compromising business assets and reputation and even hin- Vulnerability
1. Plenty of information for exchange
Researcher 2. Many upstream and downstream roles
dering businesses' long-term development. 3. Complexity within the organization
Others Scanning tools/Security companies...
03 04
Huawei Vulnerability Management White Paper Huawei Vulnerability Management White Paper
2
https://www.ntia.gov/files/ntia/je_savage_05182015.pdf
gate, mitigate, and fix vulnerabilities and support customers in risk mitigation.
3
https://www.secpoint.com/vulnerabilities-are-unavoidable.html
3.Collaborative management: Specify a collaboration mechanism with suppliers and cus-
05 06
Huawei Vulnerability Management White Paper Huawei Vulnerability Management White Paper
Figure 4-2 Seven key phases of vulnerability handling product versions within the lifecycle, and maintain continuous and clear communication
with vulnerability reporters.
Vulnerability
handling Engagement in 4.In the vulnerability remediation phase, take proactive actions to mitigate and fix
Vulnerability Security bulletin post-remediation
preparation verification release activities vulnerabilities. In addition, address all vulnerabilities based on their severity and other
1
factors to ensure that they are properly handled.
5.In the security bulletin release phase, disclose vulnerability information only to affect-
3 5 7
ed stakeholders, through proper internal and external collaboration.
2 4 6 6.In the remediation deployment phase, deploy or help customers deploy remediations,
proactively communicate with customers about high-risk vulnerabilities, and encourage
customers to actively manage patches and stay updated on security bulletins so that
Vulnerability
awareness
Vulnerability
remediation
Remediation
deployment they can detect and mitigate vulnerabilities promptly.
7.During engagement in post-remediation activities, product teams should analyze the
root causes of vulnerabilities to improve security activities. In addition, product teams
1.Vulnerability handling preparation: Build policies, organizations, and capabilities for should continuously foster and raise security awareness and capabilities among all
vulnerability disclosure and handling. employees through external communication and through collaboration between
2.Vulnerability awareness: Establish vulnerability awareness channels to receive reports upstream and downstream stakeholders in the industry chain.
about suspected vulnerabilities. 4.2 Huawei Vulnerability Management Framework and Practice
3.Vulnerability verification: Confirm the validity and impact scope of suspected vulnera- To help customers mitigate vulnerability risks on live networks, Huawei has established
bilities. a vulnerability management framework, including policies, processes, engineering,
4.Vulnerability remediation: Develop and implement vulnerability remediations. culture, and organizations. Furthermore, it has continued to improve its capabilities in
5.Security bulletin release: Release vulnerability remediation information to customers. each business group/unit to support efficient and well-organized vulnerability manage-
6.Remediation deployment: After receiving the vulnerability remediation information, ment.
operators assess risks and deploy remediations on their live networks to mitigate risks.
7.Engagement in post-remediation activities: Make continuous improvement based on Figure 4-3 Huawei vulnerability management framework
customer comments and internal practices.
4.1.4 Codes of Conduct for Vulnerability Management Objective: Support
vulnerability risk mitigation on customers' live networks
To guide business departments more effectively in terms of vulnerability management Vulnerability management General vulnerability management
Policy Customer
activities, Huawei proposes the codes of conduct for key activities in the vulnerability Customer
requirements policy (targeting customers)
value &
requirements communication
handling process: & insights Business
Release commercial versions with minimum vulnerability risks, and deliver versions/patches after
groups/ commercial versions are released
1.In the vulnerability handling preparation phase, establish vulnerability handling orga- Customers
units
Customers
nizations and processes, specify handling objectives, and establish external communica- Regulators Regulators
Supplier R&D: full view & throughout Customer Response to
tion channels. Process
management lifecycle management customers
Industry Developers/
2.In the vulnerability awareness phase, establish extensive internal and external chan- Partners
Data foundation: vulnerability information <-> purchased/open-source/self-developed items that are affected
nels to collect all vulnerability information related to Huawei products, in order to
Engineering
Technology <-> affected products/versions <-> affected customers Consumers
07 08
Huawei Vulnerability Management White Paper Huawei Vulnerability Management White Paper
4.2.1 Full-View Vulnerability Management Figure 4-5 IPD process with built-in cybersecurity
Asset management is the basis of vulnerability management, yet it is an industry-wide
challenge to ensure the integrity and accuracy of asset information. Furthermore,
ment, software engineering capabilities (such as full source code build) are set up to
ensure that the sources of assets in use (including platforms, open-source software, and
third-party software) are managed. The Integrated Product Development (IPD) process includes the concept, plan, develop,
A full picture of vulnerabilities in product versions can be drawn based on all available qualify, and launch phases. Threat modeling, security design, secure development,
software asset information. This is helpful for vulnerability verification, remediation, security testing, and other cybersecurity assurance measures are built into the entire
and other management activities. IDP process to minimize the introduction of vulnerabilities and deliver product versions
with as few as possible vulnerability risks to customers.
Figure 4-4 Full-view vulnerability management Vulnerabilities are managed based on product/software version lifecycle milestones.
Specifically, Huawei manages vulnerabilities in all product versions yet to reach the End
Product
of Service and Support (EOS) and releases vulnerability remediations (including mitiga-
Product asset version tion measures, patches, and versions) for versions yet to reach the End of Full Service
catalog Platform version (EOFS) based on remediation policies in different lifecycle phases to help customers
mitigate vulnerability risks on live networks.
• ICT Open-source software
Huawei Vulnerability Management Center identifies high-risk vulnerabilities that are of
Others
• Cloud service significant public concern and actively exploited, accelerates vulnerability response, and
Platform version N
• Device releases security notices (SNs) to affected customers within 24 hours. Once a vulnera-
Open-source software bility remediation is available, Huawei will release an SA to affected customers so that
• Others Third-party software they can make informed decisions to mitigate risks.
Others
09 10
Huawei Vulnerability Management White Paper Huawei Vulnerability Management White Paper
Figure 4-6 Vulnerability management throughout the product lifecycle ・As a supplier, Huawei has established a channel for prompt and accurate vulnerability
awareness. Huawei has also developed a vulnerability disclosure website and a proac-
tive communication channel for downstream equipment vendors/integrators, and con-
Product lifecycle
GA EOS tinuously provides vulnerability remediations to support them in integrating and releas-
Software
release lifecycle
R1
GA EOFS EOS
ing remediations.
R2 ・As an equipment vendor/integrator, Huawei has established a vulnerability receiving,
GA EOFS EOS
Rn disclosure, collaboration, and response mechanism with suppliers. In addition, Huawei
GA EOFS EOS
Rn+x operates bug bounty programs to encourage security researchers and organizations to
(1) Deliver versions
GA (2) Provide EOFS EOS report suspected vulnerabilities in products. It has established a vulnerability disclosure
with minimum vulnerability
vulnerability risks remediation solutions
website and a proactive communication channel to disclose vulnerabilities to customers
in SAs, SNs, and release notes (RNs) and support customers in making informed deci-
• Fix vulnerabilities (as planned) to support customers in sions and mitigating vulnerability risks on live networks.
routinely mitigating vulnerabilities on live networks ・As an operator, Huawei has established a vulnerability receiving, disclosure, collabora-
• For high-risk vulnerabilities (event-driven), help customers tion, and response mechanism with equipment vendors and service providers. On the
swiftly mitigate vulnerability risks on live networks basis of live-network asset management, Huawei performs vulnerability awareness,
assessment, remediation, and other activities to control live-network vulnerability risks
4.2.3 Supply Chain Management at an acceptable level.
Huawei has a wide range of product, service, and solution portfolios and serve different 4.2.4 Vulnerability Management Platform
customers in the supply chain. It plays multiple roles, including as a supplier, equipment Huawei's ICT, device, IAS, and other business groups/units play different roles and hold
vendor/integrator, or operator. Playing such diverse roles has allowed Huawei to realize different responsibilities. To ensure that business groups/units fulfill their responsibilities
the importance of collaborative supply chain management from different perspectives. and support customers in vulnerability risk mitigation, Huawei has established a unified
vulnerability management platform. This platform collects original data from the
vulnerability management activities of business groups/units and generates a full
Figure 4-7 Upstream and downstream roles in the supply chain picture of the vulnerability management levels and responsibility fulfillment status of
business groups/units, enabling visualized and manageable vulnerability management
Customer Automotive Telecom operators results of all business groups/units.
perspective enterprises and and other Cloud tenants and Huawei respects the differences among industries, drives continuous improvement of
other customers customers other customers
business groups/units, and provides customers with more efficient and professional
vulnerability management support.
Equipment
Huawei Suppliers vendors/Integrators Operators
perspective
E.g., IAS E.g., ICT, device, E.g., Huawei
and Digital Power Cloud
11 12
Huawei Vulnerability Management White Paper Huawei Vulnerability Management White Paper
1. Collect original data from the vulnerability management activities of business groups/units and
ensure that their activities are effective and comply with vulnerability management requirements
2. Develop "health check reports" based on the characteristics of different business groups/units
to support self-improvement
5 Summary
13 14