Arm's Systematic Approach to Product Security

Securing the world’s data is one of the greatest technology challenges facing the next decade of compute. Security is a vital requirement for everything Arm does, and product security is one of the key quality metrics for products delivered to partners and the wider ecosystem.

Our approach can be represented by the following areas:

 
Tailored Security Development Lifecycle

Arm prioritizes security measures by incorporating security processes at every stage of product creation using our tailored Security Development Lifecycle (SDL). This enables us to identify and mitigate potential risks before they reach a released product.

Dedicated Product Security Incident Response

Arm’s product security extends beyond the development phase. Our Product Security Incident Response Team (PSIRT) continually monitors our products for potential weaknesses and manages both the resolution and the responsible disclosure of vulnerabilities to our partners and the ecosystem.

Independent Product Security Assurance

Our product security assurance function drives continuous improvement of our SDL and Incident Response processes and provides independent assurance of the effectiveness of Arm's product security processes.

Pro-active Community Engagement

We actively work with partners, organizations, and universities to stay at the forefront of best practices and vulnerability research. This collaboration and knowledge sharing enhances our ability to anticipate emerging threats and implement effective security strategies.

Gary Campbell
Gary Campbell, EVP Engineering

Arm’s Product Security

“With the rising complexities in the cyber-threat landscape, it's clear that a robust approach to product security is critical to upholding the stability of the digital ecosystem. At Arm, we've taken this to heart. We've woven security into the fabric of our product development, starting with the Arm architecture through to the inception of a product's design to well after it hits the market. This is testament to how deeply we value not only the security of our own products, but also our partners and the wider ecosystem.”

Arm's Security Development Lifecycle

Embedding security into products throughout the development lifecycle is critical to reducing security risk. Arm has a diversity of products and has created customized methodologies to span design, development, and the verification of architecture, hardware, and software.

 

Arm ensures that engineers working on each product are trained in the customized SDL processes and provided with industry-leading tools to perform threat modeling and capture security requirements. Risk-reduction measures that cover design, verification, and documentation are applied throughout the product development lifecycle.

 

Product Security Development Lifecycle Infographic

Arm's Product Security Incident Response Process

Arm’s Product Security Incident Response Team (PSIRT) follows a clearly defined process for product security vulnerability handling. All potential product security vulnerabilities are managed using a four-phase approach:

 

  • Discover
  • Analyze
  • Resolve
  • Communicate

 

Arm works with researchers, partners, and technology vendors to ensure security vulnerability information is shared in a manner that minimizes the risk of exploit. Coordinated vulnerability disclosure (CVD) practices are followed to help partners and consumers respond effectively when vulnerabilities are disclosed.

 

Arm has a dedicated vulnerability research team that collaborates with the PSIRT to analyze and address security incidents. This team also researches new areas of security to prevent future security vulnerabilities.

 

Head over to the security center on Arm Developer for more information on security notices and our product security incident response process.

 

Product Security Incident Response Process Infographic

 

 

 

Need to raise an incident about an Arm product? Please contact: psirt@arm.com

Lyndon Fawcett,  Director Product Security
Lyndon Fawcett, Director Product Security



“At Arm, product security is an integral part of our culture. Our product security assurance capability provides the oversight so that security remains a priority throughout development and post-release. By adopting a data-driven approach, we continually refine our products and processes, positioning Arm at the cutting edge of security best practice”.

Security Community

Arm is a CVE Numbering Authority (CNA) for Arm-branded products and technologies and Arm-managed open-source projects. This status allows us to assign CVE IDs to newly discovered vulnerabilities within our jurisdiction, providing timely and structured information to the ecosystem.

CVE Program® Logo

Arm is a member of industry and academic communities that are advancing the state of the art in security. This includes working groups addressing hardware, software, and systems security, including within the IEEE, IETF, and MITRE. These memberships help Arm to collaborate with a global network of security experts, share knowledge, and adopt best practices to ensure our products are developed with the highest security standards, while also giving back to the wider community.

Richard Wilson, Head of Quality

Richard Wilson, Head of Quality

“At Arm, our commitment to quality and product security is integral to our product development lifecycle. Arm’s quality policy states our commitment to meeting partners’ security requirements by continually improving our products and services to meet expectations. Our ISO 9001 quality certification encompasses product security, demonstrating our relentless pursuit of excellence.”


Product Security​ Resource Spotlight

Addressing New European Vehicle Security Regulations

Cars are getting smarter and more complex. New European regulation aims to raise standards and protect vehicles from cybersecurity threats. With existing Arm products being deployed in future vehicles, we are helping automotive manufacturers integrate off-the-shelf components into ISO/SAE 21434-compliant designs.

Cybersecurity: The Enabler of Software-Defined Vehicles

Software-defined vehicles don’t just have more applications, they’re online. They therefore experience the same cybersecurity threats as other devices, but have a longer lifespan. See how Arm is providing the architecture and framework to help automotive manufacturers defend against both the threats of today and those of tomorrow.

Securing the AI-Enabled Software-Defined Vehicle: Key Use Cases

As vehicles adopt more third-party software, the code base for programs operating in vehicles is more widely known, increasing risk. Hardware must mitigate the impact of such risk on both the vehicle and its passengers. This article presents three use cases, and Arm’s role in providing the architecture and framework to realize compliant software-defined vehicles.