Atredis Partners is an OCP SAFE Security Review Provider

Atredis Partners is an approved Security Review Provider (SRP) for OCP SAFE, the Open Compute Project’s Security Appraisal Framework and Enablement initiative. Atredis has been a part of the OCP Supply Chain working group since 2022 along with other key stakeholders, helping develop the S.A.F.E. methodology, and we were selected as one of the first three SRPs in the program. Our core capabilities and reputation for evaluating complex hardware, firmware, and embedded operating system targets aligns perfectly with OCP SAFE’s requirements, and enables us to assist Device Vendors (DV) with their OCP SAFE assessment objectives.

We are uniquely qualified to help our Device Vendor partners achieve an OCP SAFE designation. Please contact us today to learn more about how we can help.

Our OCP SAFE Assessment Process:

  1. Contact us to begin the assessment process. If possible, provide as much of the scope and any timeline restrictions for the assessment. If an NDA is required, we will review and sign promptly.

  2. We will coordinate an introductory scoping call to discuss the applicable scope and areas for review from the list in the next section, below.

  3. We will send you a statement of work based on the scoping call to iterate on or for countersign. Once the statement of work is signed, we will work to determine a time to perform the assessment.

  4. We will perform the engagement and then send you the report for remediation and review.

  5. Once you’ve remediated any findings that you plan to address before publishing the report to the OCP Security Working Group repository, we’ll work with you to prepare the necessary deliverables in the specific format required.

  6. Once you have provided us with the final authorization to publish those deliverables, we publish the deliverables to the repository in accordance with OCP S.A.F.E. requirements.

Areas for Review:

As part of the OCP SAFE assessment, Atredis Partners works with Device Vendors to determine applicable scope and areas for review. The areas for review may include:

Assessment, Testing, and Code Review:

  • Boot Process and Bootloader Security

  • Firmware Update Process

  • End of Life / De-Provisioning / Ability to Securely Re-Provision

  • Cryptographic Security

  • Auditing and Telemetry

  • Debugging and Auditability

  • Secure Management Access

  • Dependencies and Software Supply Chain

  • Hardening and Device Integrity

  • Trusted Execution Environment

  • Root of Trust and Certificate Management

  • Identity Management

  • Volatile and Non-Volatile Storage

Documentation:

  • Build Standards

  • Secure Development Lifecycle

  • Threat Modeling

  • Security Implementation Details

  • Security Compliance

  • Evidence

  • Security Information Details

What is OCP SAFE?

The OCP SAFE program (https://www.opencompute.org/projects/ocp-safe-program) was developed to address the challenges currently faced by device vendors, end users and third-party security review providers including:
  • Reduce overhead and redundancy of security audits.
  • Provide security conformance assurance to device consumers.
  • Decrease competitive objections that prevent source code sharing for the purpose of robust independent security testing and the dissemination of findings and reports.
  • Increase the number of devices whose firmware and associated updates are reviewed on a continuous basis.
  • Through iterative refinement of review areas, testing scopes and reporting requirements, progressively advance the security posture of hardware and firmware components across the supply chain.