Atredis Partners is an OCP S.A.F.E. Security Review Provider

Our O.C.P. Assessment Process:

Atredis Partners is an approved Security Review Provider (SRP) for OCP S.A.F.E. (Open Compute Project / Security Appraisal Framework and Enablement).  Atredis has maintained involvement with the OCP Supply Chain working group since 2022 along with other key stakeholders, helping guide the development of the S.A.F.E. methodology and was selected as one of the first approved SRPs in the program. Our core capabilities and reputation for evaluating complex hardware, firmware, and embedded operating system targets aligns perfectly with requirements and enables us to assist Device Vendors (DV) with their OCP S.A.F.E. goals.

We are uniquely qualified to help our Device Vendor partners achieve an OCP S.A.F.E. designation. Please contact us today to learn more about how we can help.

  1. Contact us to begin the assessment process. If possible, provide as much of the scope and any timeline restrictions for the assessment. If an NDA is required, we will review and sign promptly.

  2. We will coordinate an introductory scoping call to discuss the applicable scope and areas for review from the list in the next section, below.

  3. We will send you a statement of work based on the scoping call to iterate on or for countersign. Once the statement of work is signed, we will work to determine a time to perform the assessment.

  4. We will perform the engagement and then send you the report for remediation and review.

  5. Once you’ve remediated any findings that you plan to address before publishing the report to the OCP Security Working Group repository, we’ll work with you to prepare the necessary deliverables in the specific format required.

  6. Once you have provided us with the final authorization to publish those deliverables, we publish the deliverables to the repository in accordance with OCP S.A.F.E. requirements.

Areas for Review:

As part of the OCP S.A.F.E. assessment, Atredis Partners works with Device Vendors to determine applicable scope and areas for review. The areas for review may include:

Code Review:

  • Booting and General

  • Attestation

  • Update

  • End of Life / De-Provisioning / Ability to Securely Re-Provision

  • Cryptography

  • Auditing and Telemetry

  • Debug

  • Secure Management

  • Dependencies

  • Hardening

  • Trusted Execution Environment

  • Root of Trust

  • Identity

  • Volatile and Non-Volatile Storage

Documentation:

  • Build Standards

  • Secure Development Lifecycle

  • Threat Modeling

  • Security Implementation Details

  • Security Compliance

  • Evidence

  • Security Information Details

What is OCP S.A.F.E.?

The OCP S.A.F.E. program (https://www.opencompute.org/projects/ocp-safe-program) was developed to address the challenges currently faced by device vendors, end users and third-party security review providers including:
  • Reduce overhead and redundancy of security audits.
  • Provide security conformance assurance to device consumers.
  • Decrease competitive objections that prevent source code sharing for the purpose of robust independent security testing and the dissemination of findings and reports.
  • Increase the number of devices whose firmware and associated updates are reviewed on a continuous basis.
  • Through iterative refinement of review areas, testing scopes and reporting requirements, progressively advance the security posture of hardware and firmware components across the supply chain.