Security
Determine security ramifications to protect personal data and information
111 Discussions

2023 Intel Product Security Report

IPAS_Security
Employee
‎02-23-2024 08:58 AM
0 0 1,823

Hello,

It’s that time of year again! Today, I am excited to share that Intel is publishing  our 5th annual product security report for calendar year 2023. In the 2022 Intel Product Security Report, we focused on the broad investments the company has made in product security assurance. This year, we put those investments to the test to see how we stack up across in the silicon industry.

In a September 2023 blog post, Intel CEO Pat Gelsinger said “As Intel Corporation works to bring AI everywhere, we recognize that threats to data security, privacy, and even biometrics are a genuine concern.” While Pat highlighted capabilities Intel is delivering, he went on to state: “Product security is not just a nice to have,” and then presented the following challenges to the industry:

  • Find a silicon vendor who takes as many steps and invests as much as we do to deliver more secure and resilient products to developers and customers.
  • To all in the industry – evolve your product assurance practices, incident response, and mitigation to better protect customers’ data and privacy.

“I’m so confident in how we look for potential vulnerabilities and the critical response to any identified that I would put the power of our product security assurance up against our direct competitors.”

Pat Gelsinger, CEO Intel

To back this up, we commissioned ABI Research to conduct an independent study and rate the product security assurance investments and maturity levels of leading silicon vendors. The results? Intel scored highest and ranked #1 across the silicon industry in product security assurance.

IPAS_Security_2-1708705675225.png

Figure 1 Source: ABI Research

To test this further, in this year’s Product Security Report, we conducted a head-to-head analysis of platform firmware vulnerabilities disclosed by Intel and AMD in  2023 and found that the results presented by ABI Research were aligned.

Many in the industry might say that comparing vulnerability counts is not an accurate assessment of overall security posture and we agree. This is why we dig a little deeper to examine the types of vulnerabilities and critical components, such as each company’s Security Processor* to help readers make an informed analysis of their own. At the end of the day, these data points are only one of many indicators of product security assurance investment and maturity. For example, the Intel® CSME team has rigorously applied SDL principles and architectural hardening to achieve amazing results over the last five years (see page 17 of the 2023 Product Security Report).

For the purposes of this competitive report, we looked at platform firmware, defined as firmware that maps to silicon and generally ships as part of a CPU/processor platform (see page 13 of the report for examples). We break the firmware into two primary categories: hardware chain of trust/secure boot features and confidential computing features.

Head-to-Head

  1. AMD had 3x as many platform firmware vulnerabilities in 2023 than Intel.
  2. AMD had over 3.5x as many vulnerabilities in their Chain of Trust/Secure Boot components and features than Intel.
  3. AMD reported 2.5x as many vulnerabilities in their confidential computing components and features than Intel.
  4. When looking at each companies’ security processor technologies, AMD Secure Processor (ASP) saw 22x more firmware vulnerabilities than Intel® Converged Security and Management Engine (CSME).

IPAS_Security_3-1708705675251.png
Figure 2 Source: 2023 Intel Product Security Report


Tune in to Chips & Salsa where myself and CRob provide a summary of the report:

CnS-PSRbannerPLAY.png

 

No product or component can be absolutely secure which is why product security assurance is a journey of continuous improvement that Intel is committed to long-term. For more information on Intel’s approach to product security assurance, visit: https://www.intel.com/content/www/us/en/security/product-security-assurance.html.

 

Regards,

Jerry Bryant
Sr. Director, Incident Response & Security Communications
Intel Product Assurance and Security (IPAS)

 

ABI Research Paper: https://go.abiresearch.com/lp-embracing-security-as-a-core-component-of-the-tech-you-buy


2023 Intel Product Security Report: https://www.intel.com/content/www/us/en/security/product-security-assurance.html

 

*Secure processors are dedicated hardware that form the hardware root-of-trust such as the Intel® Converged Security and Management Engine (CSME) and the AMD Secure Processor.

0 Kudos
About the Author
Intel Product Assurance and Security (IPAS) is designed to serve as a security center of excellence – a sort of mission control – that looks across all of Intel. Beyond addressing the security issues of today, we are looking longer-term at the evolving threat landscape and continuously improving product security in the years ahead.

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.