HSDL: A Security Development Lifecycle for hardware technologies

Security assurance is a rapidly evolving but well understood discipline in the software industry. Many firms have adopted the Security Development Lifecycle as a process to identify and fix vulnerabilities in their products before they are released. To do this, they rely on sound software security practices, tools and precise technical information available through a vast collection of publicly known vulnerabilities and exploits. Historically, secure development practices for hardware products have not developed as fast. Only a limited number of methodologies, standards, exploits, and testing tools exist to assist vendors with their security assurance goals. This paper presents a Hardware Security Development Lifecycle at the hardware technology level that has been used on commercial CPUs, chipsets, and SoCs. It describes how a structured flow of analysis and testing activities organized in five phases can accelerate the discovery of security issues in computer hardware products that could be exploited through software or physical attacks. We summarize lessons learned over several years of security evaluation experience that have resulted in a systematic method that can be adapted to make security assurance an integral part of hardware development cycles.