{"id":117400,"date":"2020-08-11T06:00:03","date_gmt":"2020-08-11T13:00:03","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=117400"},"modified":"2020-08-17T08:32:06","modified_gmt":"2020-08-17T15:32:06","slug":"policy-product-integrity","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/08\/policy-product-integrity\/","title":{"rendered":"Product Integrity Is Paramount: How We Protect and Secure Customers"},"content":{"rendered":"<p><span style=\"color: #ff9900;\"><b><i>The Product Integrity Checklist<\/i><\/b><\/span><\/p>\n<p><span style=\"color: #ff9900;\"><span style=\"font-weight: 400;\">\u00a0<\/span><span style=\"font-weight: 400;\">\u2713<\/span><\/span> <b>Internal processes and oversight\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400; color: #ff9900;\">\u2713<\/span> <b>Hardware manufacturing processes\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400; color: #ff9900;\">\u2713<\/span> <b>Tamper-proof secure delivery of hardware products\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400; color: #ff9900;\">\u2713<\/span> <b>Third-party testing\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400; color: #ff9900;\">\u2713<\/span> <b>Vulnerability remediation<\/b><b> and disclosure practices\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400; color: #ff9900;\">\u2713<\/span> <b>Executive Management Buy-In<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">At Palo Alto Networks, our highest priorities are the integrity of our products and security of our customers. We are dedicated to the needs of our customers and, as a provider of security products, we are aware of the risks facing our government and business customers around the world.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/06\/policy-supply-chain-best-practices\/\"><span style=\"font-weight: 400;\">commitment of Palo Alto Networks to product integrity<\/span><\/a><span style=\"font-weight: 400;\"> was highlighted by the U.S. Department of Commerce\u2019s National Institute of Standards and Technology <\/span><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/white-paper\/2020\/02\/04\/case-studies-in-cyber-scrm-palo-alto-networks-inc\/final\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">(NIST) case study<\/span><\/a><span style=\"font-weight: 400;\"> in February 2020, which outlined how Palo Alto Networks uses <\/span><span style=\"font-weight: 400;\">end-to-end risk management <\/span><span style=\"font-weight: 400;\">as an example of best practice for supply chain management<\/span><span style=\"font-weight: 400;\">. This case study identifies and highlights how we inherently identify supply chain risks across our entire product lifecycle \u2013 design, sourcing, manufacturing, fulfilment and service \u2013 and take proactive action to ensure the integrity of our products.<\/span><span style=\"font-weight: 400;\"> We are incredibly proud of this report.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We continue to pursue product integrity best practice via several key areas to ensure the quality and integrity of the Palo Alto Networks products:\u00a0<\/span><\/p>\n<h2>Internal Processes and Oversight<\/h2>\n<p><span style=\"font-weight: 400;\">Palo Alto Networks undertakes a number of internal processes to ensure the integrity of its PAN-OS products. In particular:\u00a0\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Software &amp; Firmware Signing: Palo Alto Networks digitally signs all of our PAN-OS software and updates. These signatures are checked and validated by the NGFW (appliance and virtual) prior to installation, thus ensuring all software and updates that are loaded have come from Palo Alto Networks.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure Updates: Palo Alto Networks also provides all updates via a validated secure channel. When you enable Verify Update Server Identity, the Firewall or Panorama will verify that the server from which the software or content package is downloaded has an SSL certificate signed by a trusted authority. This adds an additional level of security for the communication between Firewalls or Panorama servers and the update server.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Signature Verification: Palo Alto Networks performs software integrity checks on its products and performs software integrity checks for tamper detection and software corruption. The software integrity check validates that the operating system and data file structure are intact, as delivered by Palo Alto Networks. If the check detects a software corruption or possible appliance tampering, it generates a System log of critical severity.\u00a0 Since PAN-OS 8.1.3, this was further enhanced and the appliance will go into maintenance mode when the check fails, prohibiting the device from doing anything it should not, while allowing the administrator access to the device. <\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">To ensure that new PAN-OS product introductions, ongoing product development and product changes such as bug fixes maintain the integrity of the products, Palo Alto Networks institutes checks and balances to oversee development. These measures include, but are not limited to, restrictions on who scopes and defines source code changes, reviewing new source code with a hierarchy of oversight, and ensuring a \u201cchain of custody\u201d throughout development, testing and Quality Assurance (QA) processes. We also require development managers to review and sign off on all code changes. These checks mitigate the risk of modification to the system that were not outlined in the design specifications.\u00a0<\/span><\/p>\n<h2>Hardware Manufacturing Processes<\/h2>\n<p><span style=\"font-weight: 400;\">Palo Alto Networks next-generation firewalls are manufactured in the United States of America. While manufacturing location does not in itself guarantee secure hardware, it does enable Palo Alto Networks to more easily manage personnel, facility and product security. Importantly, our U.S. manufacturer is ISO 9001 and C-TPAT certified \u2013 these standards invoke stringent quality processes to ensure supply chain security. We have a strong focus on our supply chain management, focused on security requirements and a collaborative relationship with suppliers to ensure a complete view of their security posture.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In fact, we regularly make decisions to forgo suppliers and certain manufacturing locations when they cannot offer the same security assurances, and we know it's the right decision to protect our product and our customers.<\/span><\/p>\n<h2>Tamper-proof Secure Delivery of Hardware Products<\/h2>\n<p><span style=\"font-weight: 400;\">To ensure that hardware purchased from Palo Alto Networks have not been tampered with during shipping, Palo Alto Networks asks each individual customer to verify the following upon receipt of each hardware product:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The tracking number provided to each customer electronically when ordering the hardware product, which should match the tracking number that is physically labelled on the box or crate.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The warranty seals on the device itself do not show evidence of tampering.\u00a0<\/span><\/li>\n<\/ul>\n<h2>Third-party Testing<\/h2>\n<p><span style=\"font-weight: 400;\">Palo Alto Networks products are subjected to significant quality assurance and vulnerability testing both internally and from third-party vendors involved in the certification of products to the Common Criteria (CC), U.S. Federal Information Processing Standards (FIPS) and other global government certifications.\u00a0<\/span><\/p>\n<h2>Vulnerability Remediation and Disclosure Practices<\/h2>\n<p><span style=\"font-weight: 400;\">All currently supported Palo Alto Networks PAN-OS-based products and services are designed with the highest security assurance standards in all aspects of a product lifecycle to help deliver highly trusted and secure products. Our product security assurance practices are based on recognized international standards such as ISO\/IEC 29147:2018 (vulnerability disclosure), ISO\/IEC 30111:2019 (vulnerability handling) and FIRST PSIRT Services Framework 1.0. We have a security incident response team to oversee receiving, identification, assessment, remediation, verification and publication of advisories for security vulnerabilities discovered in our products and services. We also maintain a comprehensive information portal for all of our products that covers<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/services\/support\/end-of-life-announcements\/end-of-life-summary\"> <span style=\"font-weight: 400;\">End of Life - Software<\/span><\/a><span style=\"font-weight: 400;\">. For our specific hardware, the<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/services\/support\/end-of-life-announcements\/hardware-end-of-life-dates\"> <span style=\"font-weight: 400;\">End of Life -\u00a0 Hardware<\/span><\/a><span style=\"font-weight: 400;\"> summary can also be found on our public site. We are deeply committed to helping ensure the safety and security of our customers.\u00a0<\/span><\/p>\n<h2>Executive Management Buy-In<\/h2>\n<p><span style=\"font-weight: 400;\">The five practices described above are driven by, and have the buy-in of, Palo Alto Networks executive management. Supply chain risk management encompasses a whole-of-company strategy spanning operations, product management and other corporate functions; strong coordination is critical to our success.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As the global cybersecurity leader, the Palo Alto Networks mission is to be the cybersecurity partner of choice, protecting our digital way of life. To Palo Alto Networks, being the partner of choice means maintaining a strong supply chain and ensuring the integrity of our products for the ultimate benefit of our customers.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To maintain product integrity, Palo Alto Networks is committed to maintaining best practices in key areas including hardware manufacturing processes.<\/p>\n","protected":false},"author":129,"featured_media":108851,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6769],"tags":[183,1794],"coauthors":[1179,7251],"class_list":["post-117400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-public-sector","tag-nist","tag-supply-chain"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/panw-federal-no_text-linkedin-1200x627-1.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/117400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/129"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=117400"}],"version-history":[{"count":9,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/117400\/revisions"}],"predecessor-version":[{"id":117511,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/117400\/revisions\/117511"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/108851"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=117400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=117400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=117400"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=117400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}