NSP software security summary
DFSEC requirement implementation
The NSP follows Nokia’s Design For Security (DFSEC) process to ensure the security of the NSP product software. The DFSEC defines a framework for delivering secure products based on providing defence-in-depth, while utilizing a continuous secure delivery process based on industry-recognized standards and best practices.
The DFSEC requirements have been assembled by Nokia over several years and are based on Nokia involvement in global standards development, engagement with customers and regulators, participation in industry forums, and the collective experiences of many product development teams. The DFSEC requirements cover general software security, network security, operating system security, information security, database security, application and web-server security, virtualization security, as well as authentication, authorization, and accounting. Requirements compliance is verified at various points throughout the release lifecycle from initial design to delivery.
NSP security testing occurs every release and utilizes tools recommended in the DFSEC process. The security testing includes the execution of vulnerability scans, web application scans, port scans, targeted robustness (aka “fuzzing”) and DoS testing. Security testing is carried out using a mix of commercial and internal tools. The DFSEC also specifies the use of the Nokia Software Vulnerability Management tool, which is used to manage any vulnerabilities that have been found in the third-party libraries used within the NSP product; these include:
-
the identification and notification of any new vulnerabilities declared against the third-party libraries used,
-
tracking the vulnerability assessment and severity assignment, and
-
tracking the mitigation activity necessary to eliminate the vulnerability in cases where the vulnerability is not a false positive.
Mitigation of third-party library vulnerabilities is managed through the regular release planning process with priority given to the vulnerabilities that have a critical CVSS v3 score after the vulnerability assessment.