The Product Integrity Checklist
✓ Internal processes and oversight
✓ Hardware manufacturing processes
✓ Tamper-proof secure delivery of hardware products
✓ Third-party testing
✓ Vulnerability remediation and disclosure practices
✓ Executive Management Buy-In
At Palo Alto Networks, our highest priorities are the integrity of our products and security of our customers. We are dedicated to the needs of our customers and, as a provider of security products, we are aware of the risks facing our government and business customers around the world.
The commitment of Palo Alto Networks to product integrity was highlighted by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) case study in February 2020, which outlined how Palo Alto Networks uses end-to-end risk management as an example of best practice for supply chain management. This case study identifies and highlights how we inherently identify supply chain risks across our entire product lifecycle – design, sourcing, manufacturing, fulfilment and service – and take proactive action to ensure the integrity of our products. We are incredibly proud of this report.
We continue to pursue product integrity best practice via several key areas to ensure the quality and integrity of the Palo Alto Networks products:
Palo Alto Networks undertakes a number of internal processes to ensure the integrity of its PAN-OS products. In particular:
To ensure that new PAN-OS product introductions, ongoing product development and product changes such as bug fixes maintain the integrity of the products, Palo Alto Networks institutes checks and balances to oversee development. These measures include, but are not limited to, restrictions on who scopes and defines source code changes, reviewing new source code with a hierarchy of oversight, and ensuring a “chain of custody” throughout development, testing and Quality Assurance (QA) processes. We also require development managers to review and sign off on all code changes. These checks mitigate the risk of modification to the system that were not outlined in the design specifications.
Palo Alto Networks next-generation firewalls are manufactured in the United States of America. While manufacturing location does not in itself guarantee secure hardware, it does enable Palo Alto Networks to more easily manage personnel, facility and product security. Importantly, our U.S. manufacturer is ISO 9001 and C-TPAT certified – these standards invoke stringent quality processes to ensure supply chain security. We have a strong focus on our supply chain management, focused on security requirements and a collaborative relationship with suppliers to ensure a complete view of their security posture.
In fact, we regularly make decisions to forgo suppliers and certain manufacturing locations when they cannot offer the same security assurances, and we know it's the right decision to protect our product and our customers.
To ensure that hardware purchased from Palo Alto Networks have not been tampered with during shipping, Palo Alto Networks asks each individual customer to verify the following upon receipt of each hardware product:
Palo Alto Networks products are subjected to significant quality assurance and vulnerability testing both internally and from third-party vendors involved in the certification of products to the Common Criteria (CC), U.S. Federal Information Processing Standards (FIPS) and other global government certifications.
All currently supported Palo Alto Networks PAN-OS-based products and services are designed with the highest security assurance standards in all aspects of a product lifecycle to help deliver highly trusted and secure products. Our product security assurance practices are based on recognized international standards such as ISO/IEC 29147:2018 (vulnerability disclosure), ISO/IEC 30111:2019 (vulnerability handling) and FIRST PSIRT Services Framework 1.0. We have a security incident response team to oversee receiving, identification, assessment, remediation, verification and publication of advisories for security vulnerabilities discovered in our products and services. We also maintain a comprehensive information portal for all of our products that covers End of Life - Software. For our specific hardware, the End of Life - Hardware summary can also be found on our public site. We are deeply committed to helping ensure the safety and security of our customers.
The five practices described above are driven by, and have the buy-in of, Palo Alto Networks executive management. Supply chain risk management encompasses a whole-of-company strategy spanning operations, product management and other corporate functions; strong coordination is critical to our success.
As the global cybersecurity leader, the Palo Alto Networks mission is to be the cybersecurity partner of choice, protecting our digital way of life. To Palo Alto Networks, being the partner of choice means maintaining a strong supply chain and ensuring the integrity of our products for the ultimate benefit of our customers.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.