ZPE Systems, a leader in the critical infrastructure automation industry, delivers out-of-band management and automation infrastructure with highest level of security. Six of 10 top global tech giants trust ZPE Systems’ hardware and software infrastructure for management, remote access, and automation of critical systems from datacenter to edge. Customers protect critical production infrastructure using ZPE Systems’ solutions, which have undergone a battery of certifications from ISO27001), SOC 2 Type 2, FIPS 140-3, and now Synopsys code quality validation.
Hyperscale computing companies and Fortune 500 enterprises select ZPE Systems for their holistic approach to security — which covers the layers of hardware, software, and cloud. ZPE Systems’ hardware architecture includes signed-encrypted disk, secure boot with proper TPM implementation, and more than a dozen other security features. ZPE Systems’ engineering team also follows development best practices, performs thousands of integrity tests every day, and responds within 24 hours to CVEs.
CIO INFLUENCE News: NAB New York Launches Digital Sustainability Alliance to Combat Data Storage and Computing Impacts
They also follow this ‘security first’ approach when validating third-party libraries. Their high standards have led ZPE Systems to partner with Synopsys to ensure highest level of code quality and security by following the best practices of software development lifecycle (SDLC) with Synopsys’ application security testing (AST) solutions that include:
Coverity: A fast, accurate, and scalable static analysis (SAST) solution that helps teams address security and code quality defects early in the SDLC.
Black Duck Binary Analysis (BDBA): A solution that helps manage security and license risks across the software supply chain, without the need for access to source code. This makes BDBA especially effective in managing third-party libraries, packaged software, and embedded firmware.
Black Duck software composition analysis: A solution that helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers. This helps ensure integrity as third-party solutions are built from source code.
WhiteHat DAST: A dynamic application security testing (DAST) tool that detects exploitable vulnerabilities and provides access to Synopsys’ security experts for deeper interpretation and prioritisation of findings.
The Challenge: Addressing Security Across the Software Development Lifecycle
“Security is the cornerstone of ZPE’s infrastructure management solutions,” says Koroush Saraf, VP of Product Management and Marketing at ZPE Systems. “Our automation platform touches every aspect of our customers critical infrastructure, from networking and firewall gear to servers, smart PDUs, and everything else in their production network. The ZPE portfolio is architected with the strongest security and implemented with the same level of scrutiny.”
ZPE allows IT to manage, secure, and scale a resilient infrastructure through Intel-based serial consoles, services routers, sensors, zero-touch provisioning, and cloud-managed out-of-band automation. Given the critical nature of enterprise networking, security is paramount to ZPE customers.
“With ZPE, customers can remotely manage any device using a separate control plane infrastructure” says Saraf. “It doesn’t matter which vendors they use — they get the same in-depth security, access, and control.” By using this design pattern enterprises gain two additional security capabilities that is now critical to combating ransomware. With ZPE IT can automate infrastructure patching and also recover and revert back to a golden state as needed..
“The average time taken to apply patches and fix vulnerabilities can be more than 205 days,” says Saraf. “This is due to many reasons: limited resources and time, concerns that something may break, or in some cases, admins don’t even know that a critical patch is available. That’s why ZPE takes on the responsibility for customers. They’re assured that the systems running their infrastructure are running the latest, most secure software. And if a patch fails, our built-in undo button reverts to a safe configuration before any damage can be done.”
CIO INFLUENCE News: ZeroFox Renews and Expands 8-Figure Contract with Critical U.S. Federal Agency
Since ZPE Nodegrid equipment is connected to critical IT systems, its natural to see that software security perspective, ZPE’s customers need assurance that due diligence has been taken to prevent potential software security holes in their infrastructure. ZPE brings:
- Static verification
- Dynamic verification
- 3rd-party software verification
- Open source verification
- CVE reduction
“Addressing software security is a layered approach,” Saraf continues. “There’s no magic bullet to combat software security risks. Each tool addresses a particular scenario. For example, static analysis and dynamic analysis are different testing approaches with different benefits. They find different types of vulnerabilities, and they’re most effective in different phases of the software development life cycle. That’s why ZPE has implemented both from the software security market leader, Synopsys.”
Saraf adds, “Like with all modern organisations, ZPE uses a complex mix of proprietary, open source, and third-party software obtained through a variety of sources from the software supply chain. Think third-party libraries, packaged software from ISVs, IoT and embedded firmware, and especially open-source components. In fact, studies show that over three-quarters of the code in any given application is likely to be open source.”
“Also most third-parties won’t provide the source code behind their software,” notes Saraf. “But the question remains whether that supplier is as security conscious as ZPE. Again, we found the solution with Synopsys, which gives us insight into any third-party software we include without requiring access to the source code.”
CIO INFLUENCE News: HITRUST Risk-Based, 2-Year Certification for Lumeon on Third-Party Privacy, Security, and Compliance
The Solutions: Building Comprehensive Security Testing into the ZPE’s SDLC with Synopsys AST
As Saraf notes, different security solutions focus on different aspects of vulnerability detection and risk mitigation. By layering multiple solutions such as static analysis, dynamic analysis, and software composition analysis, ZPE covers a wide range of potential vulnerabilities, ensuring that code quality and security issues are identified at various stages during the software development lifecycle and across different types of code.
Coverity provides the speed, ease of use, accuracy, industry standards compliance, and scalability to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities as code is written, early in ZPE’s development process when it’s easiest to fix. Coverity seamlessly integrates automated security testing into CI/CD pipelines, supports existing development tools and workflows, and can be deployed either on-premises or in the cloud. Coverity Desktop also helps developers catch issues before committing code, so they can learn SAST on the fly and avoid repeating mistakes in the future.
WhiteHat Dynamic is a software-as-a-service (SaaS) dynamic application security testing (DAST) solution that allows businesses to quickly deploy a scalable web security program. No matter how many websites or how often they change, WhiteHat Dynamic can scale to meet any demand. It provides security and development teams with fast, accurate, and continuous vulnerability assessments of applications in QA and production, applying the same techniques hackers use to find weaknesses. Every vulnerability is validated by security experts and augmented by AI, virtually eliminating false positives. This enables ZPE to streamline the remediation process, prioritize vulnerabilities based on severity and threat, and focus on remediation and its overall security posture.
Black Duck helps ZPE identify supply chain security and license risks even when it doesn’t have access to the underlying software’s code. This is a critical security tool for the modern software supply chain. BDBA can scan virtually any software, including desktop and mobile applications, third-party libraries, packaged software, and embedded system firmware. It quickly generates a complete software Bill of Materials (SBOM), which tracks third-party and open source components, and identifies known security vulnerabilities, associated licenses, and code quality risks.
The Results: A Notable Reduction of CVEs
“One of the outcomes from taking a comprehensive, layered approach to security testing has been a notable reduction in CVEs on the systems we deploy,” says Saraf.
“I think a lot of industry players don’t give enough attention to patching CVEs. They wait until after a security incident, or until a customer specifically asks. Unfortunately, it’s normal to see unpatched, outdated software running on critical infrastructure. The Equifax breach of 2017 is just one example that exposed the personal data of millions. It’s a particular problem with IoT and embedded devices — many of those systems get installed and forgotten. But it’s another attack surface, especially if you use the equipment for critical infrastructure automation.”
“ZPE’s goal is to reduce the attack surface of our systems to as close to zero as possible, either by making sure that software vulnerabilities are identified and addressed, and that our software is running the most secure and up to date versions. It’s an ongoing process—what is vulnerability-free today won’t necessarily be so tomorrow—which is why ZPE always stays security-conscious. I think the company’s commitment to security has positioned ZPE as a trusted partner for enterprises seeking secure automation solutions for their critical infrastructure needs.”
CIO INFLUENCE News: Darktrace Introduces Real-Time Cloud-Native Security Solution Using AI
[To share your insights with us, please write to sghosh@martechseries.com]
