VENDORS
    • 13 Dec 2024
    • 4 Minutes to read
    • Dark
      Light
    • PDF

    VENDORS

    • Dark
      Light
    • PDF

    Article summary

    Certifications

    FIPS

    FIPS 140-3, entitled “Security Requirements for Cryptographic Modules", is a United States and Canadian governments standard. The certification of such modules is attested by the Cryptographic Module Validation Program (CMVP) managed jointly by the United States National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (the Cyber Centre), working with an accredited testing laboratory.

    Federal agencies of both United States and Canada require products that are FIPS 140-2 or 140-3 compliant to handle sensitive information in the United States or Protected Information in Canada, although many in the private sector opt to adopt these standards.

    The Nodegrid OS is now FIPS 140-3 ready, and its module is in Coordination phase within the Cryptographic Module Validation Program (CMVP) working with the accredited lab Acumen Security. The completion of the process is expected for Q1 2024. More information can be found here: https://zpesystems.com/company/fips-140-3/

    FIPS 140-3 defines a cryptographic boundary where the standard applies. Our cryptographic boundary is limited to the OpenSSL FIPS provider.

    When FIPS 140-3 is enabled, OpenSSL is configured in such a way that only the base and FIPS providers are loaded, so all applications that rely on OpenSSL for cryptographic algorithms implementation will operate in compliance with FIPS 140-3. The OpenSSL base provider implements only non-cryptographic operations such as format conversion.

    FIPS 140-3 supersedes FIPS 140-2. On September 22, 2026, all FIPS 140-2 certificates will be placed on the historical list.

    PCI-DSS

    Nodegrid is fully compliant with Payment Card industry Data Security Standards (PCI DSS) version 3.2.

    The PCI DSS are a set of baseline technical and operation standards created and maintained by the payment card industry (PCI) Security Standards Council (SSC) to verify that merchants and service providers appropriately protect cardholder data.

    The certificate of compliance is given in Appendix E (see section Appendices).

    Vulnerability and Penetration tests

    Coverity Scan

    Static Application Security Testing (SAST) is done daily with Synopsys’ Coverity on the Nodegrid OS source code to detect any vulnerabilities and defects such as resources leaks, memory leaks or corruptions, buffer overruns, use after free, incorrect usage of APIs, concurrency issues, etc., as soon as they are introduced.

    Any findings in the scan report are immediately addressed and fixed, thus improving the security and resilience of the code. Coverity is regularly updated to the latest available version as soon as it is released.

    A sample of scan results for Nodegrid OS is given in Appendix B (see section Appendices).

    Black Duck Scan

    Software Composition Analysis (SCA) and vulnerabilities scans are routinely done with Synopsys’ Black Duck on our entire supply chain, in both source code and binary form. Even if only binaries are available, it identifies all packages in use along with their dependencies and their respective versions, producing a report with all known Common Vulnerabilities and Exposures (CVEs) and Black Duck Security Advisories (BDSAs) affecting them, the licenses each one adopted, and a comprehensive Software Bill of Materials (SBoM).

    This gives us awareness of vulnerabilities as soon as they are disclosed, allowing us to quickly fix them, ensure license control and compliance, and maintain visibility of the entire software supply chain essential for software security and risk management.

    Additional CVE Scans

    Additional scanning tools are used in conjunction with Black Duck to scan for Common Vulnerabilities and Exposures (CVE) on a daily basis. At every release, a scan report is issued. A report from a recent version is given in Appendix G (see section Appendices).

    Qualys Vulnerability Scan

    Vulnerability scans are performed daily with Qualys Vulnerability Management Detection & Respose (VMDR) on all development branches. The corresponding reports are saved along with each official release.

    As a vulnerability scanner, Qualys Scanner is designed to assess computers, networks or applications for known weaknesses. The Qualys Vulnerability Manager continuously scans and identifies vulnerabilities with Six Sigma (99.99966%) accuracy, protecting IT assets. Its dashboard displays an overview of the security posture and access to remediation details.

    Copies of the Scan Results are given in Appendix C (see section Appendices).

    Customer Penetration Testing

    In addition to the daily testing performed by our Qualys Vulnerability Scans, some of our customers perform penetration testing too. In this case, we abide by the following methodology:

    • We make sure the Nodegrid unit is correctly configured (i.e., hardened and secured, according to the steps listed in “How to secure the Nodegrid”)

    • The customer launches the penetration test process.

    • Findings are shared with ZPE Systems.

    • Based on these findings, our engineering team either change the configuration of the unit, or develop patches, that will be part of the next release.

    • The next release, bearing the corrections, is usually available after 2 or 3 weeks.

    Vulnerability Report

    Vulnerabilities found in ZPE applications can be submitted via e-mail or through the PSIRT website. ZPE commits to coordinating with reporters of vulnerabilities as openly and as quickly as possible. More information can be found at: https://psirt.zpesystems.com/portal/en/home

    Security Advisories

    Security advisories are eventually published at https://psirt.zpesystems.com/portal/en/kb/psirt/cve when needed. They might contain:

    • Information about CVEs fixed or detected on ZPE applications

    • Information about CVEs in third-party applications that ZPE cannot or chooses not to fix

    Secure Development Life Cycle

    Nodegrid has a secure framework of software development. Security is integrated from the early stages of software development and testing.

    The SSDLC (Secure Software Development Lifecycle) procedures include:

    • All released software is registered, patched, hardened, tested, and supported.

    • We ensure that responsible disclosure clauses are part of contracts and adhered to.

    • We ensure that the implemented software is equal to software being evaluated (pen-tested).

    • All released Nodegrid OS images since Nodegrid v5.2 (June 2021) are electronically signed by ZPE. This includes the software, kernel and bootloader. Signature checks can be enforced by enabling the Secure Boot feature.

    • All software has been Penetration Tested or evaluated before roll-out. We do pen tests ourselves. In some cases, we have an external company (an integrator or the final customer) carrying out the pen tests.

    Manufacturing location

    • The devices NSC, NSR, BSR, GSR and LSR are manufactured in Taiwan.

    • The device HSR is manufactured in Philippines.

    • The device MiniSR is manufactured in Israel.

    • The software Nodegrid OS is developed in the USA.

    • The devices sensors and accessories are manufactured in the USA.


    Was this article helpful?

    What's Next
    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence