We’re often asked how we go about assuring that our products don’t put our customer’s networks and data at risk. As part of the Ruckus security team, it’s my job to answer that question.
The foundation of our product security posture is a set of proactive measures we take to help ensure our products have up-to-date security patches and provide protection against new vulnerabilities. There are two key measures we employ:
- Source code scanning: We scan our source code repositories and third-party libraries for vulnerabilities. This process helps ensure “clean” source code. The goal is to uncover any potential issue with third-party open source libraries that some products rely on.
- Product scanning: Once we are ready to ship the product, we conduct a security vulnerability scan using industry-leading security vendors and tools. This process is optimized for each product.
As part of our ongoing security practices improvement effort, we partner with leading security research firms that enable us to make use of crowd-sourcing to further enhance our security posture. Using the crowd-sourcing model on a specific platform, we expose the products to a worldwide community of security researchers for their evaluation and testing. In this way, we harness the white-hat security community to close vulnerabilities before they can be exploited. As part of this initiative, we run multiple programs with a range of bounties placed against the vulnerability level that matches National Institute of Standards and Technology (NIST) ratings.
Vulnerability Disclosure Program
On our website, there is a vulnerability disclosure form where anyone can leave a feedback or create a vulnerability disclosure. A submission can either be claimed or anonymous.
The U.S Federal Government Framework
We believe that some of our existing practices are already in alignment with the future approach and recommendations to be taken according to the Report to the President on Federal IT Modernization (2017). This report states the Federal Government’s commitment and a framework for improved security service and lifecycle management. In the Future State & Objectives of the report, Federal Government’s direction is set to improve the visibility beyond the network level. For this high-level goal, some of the suggestions are establishing a vulnerability disclosure policy and placing systems or applications under a bug bounty program.
Towards an Always-improving Security Posture
At Ruckus Networks, we are leveraging the security research community today to better understand, process and triage information security gaps, security events and potential incidents before they occur. As we move through the process of Federal Government certifications for deployments in sensitive networks, we believe these steps will ensure our compliance with that organization’s security posture requirements.
Our customer’s data and information security are always our #1 priority. We will continue to take proactive measures to ensure our products are safe and customer data remain uncompromised. For more information, visit our security page.