Product security
Security is embedded in every product we deliver
Security is embedded in every product we deliver, from the design phase to the deployment and operation phase. We follow a consistent security methodology that aligns with industry standards, customer needs, and best practices, and we continuously monitor and improve our approach across our product lines.
Our security approach adheres to industry best practices and standards. We proactively monitor and enhance our security measures to provide uncompromising security in our products. Post-release, we maintain vigilance through proactive monitoring and updates. Security in the field, installation, and during operations is a shared responsibility demanding close collaboration between Nokia and our customers.
Product security at release
Nokia's Secure Development Lifecycle (DFSEC) is a comprehensive framework designed to integrate security at every stage of product development.
Our DFSEC processes ensure that security considerations are embedded from the initial design phase through the development phase of the product release. DFSEC aims to protect both Nokia's products and its customers by proactively addressing potential security vulnerabilities and threats.
Key Components of DFSEC
Security requirements
Establishing clear security objectives and requirements early in the development process to guide design and implementation.
Threat modeling
Identifying and assessing potential threats to anticipate and mitigate risks effectively.
Secure design
Implementing best practices in secure architecture and design to minimize vulnerabilities.
Secure coding
Adopting coding standards and practices that prevent common security issues, such as buffer overflows and injection attacks.
Security testing
Conducting rigorous testing, including static and dynamic analysis, to identify and rectify security flaws.
Continuous improvement
Regularly updating security practices based on evolving threats and feedback from security audits and assessments.
Product security after release
Security vulnerability management is an integral element of our approach to address security risks in products throughout their lifecycle. This involves proactive vulnerability discovery, through multiple channels, risk prioritization and timely resolution.
Product security does not stop at release. New vulnerabilities in third party software and Free and Open Source Software (FOSS) components we use in our products are discovered daily. That’s why we have a robust vulnerability management process that aims to identify, assess, and remediate any potential security issues in our products and services.
We employ a multi-faceted approach to vulnerability discovery, including internal verification and proactive monitoring multiple vulnerability feeds. We work with customers to address vulnerabilities identified through their security operations and we actively participate in coordinated vulnerability disclosure initiatives and collaborate with security researchers and organizations to share and receive vulnerability information.
Upon discovering a vulnerability, we prioritize and address it based on its severity, impact, and exploitability, ensuring the most critical issues are addressed first. We promptly communicate vulnerability details and remediation steps to our customers and the public through security advisories published on our website and other channels. We provide security patches and updates for our products and services as soon as possible, and we monitor the effectiveness of our remediation actions.
Nokia's PSIRT manages product and service security incidents, coordinates with internal and external stakeholders, and communicates with customers and the public.
We have a dedicated product security incident response team (PSIRT) that is responsible for managing and resolving incidents impacting Nokia’s products.
The PSIRT follows a structured and consistent incident response process that covers the following phases: preparation, identification, containment, eradication, recovery, and lessons learned.
The PSIRT coordinates with other internal and external stakeholders, such as product teams, service teams, customers, suppliers, partners, law enforcement, and regulators, to ensure a timely and effective response.
The PSIRT also communicates the incident details and mitigation actions to our customers and the public through our security advisories and other channels.
Contact us at: security-alert@nokia.com
Hall of fame
Recognition for security vulnerability reporters.
Nokia security advisories
Responsible disclosure of product security vulnerabilities.
As part of our broader product and service security strategy, we follow a structured and transparent Coordinated Vulnerability Disclosure (CVD) process to responsibly manage and disclose security vulnerabilities.
Security researchers are an integral part of our cybersecurity community, and we are thankful for helping us improve our services by privately disclosing one or more security vulnerabilities and working with us to address them, making telecommunication networks more secure.
We welcome and encourage the responsible disclosure of potential security vulnerabilities in Nokia products and Nokia-hosted services through our Coordinated Vulnerability Disclosure (CVD) program.
Key Steps:
- Triage and analysis: Product Security Incident Response Team (PSIRT) assesses severity.
- Common Vulnerabilities and Exposures (CVE) assignment: Identifications are issued per CVE Numbering Authority (CNA) rules.
- Remediation and disclosure: Fixes are developed and shared with affected customers before public release.
- Third-party coordination: Nokia engages vendors directly when vulnerabilities affect external components, using official CVD channels.
- Customer communication: Customers receive pre-disclosure alerts with CVE details and remediation guidance.
Nokia's security advisories provide comprehensive vulnerability information, mitigation steps, and contact details.
Our advisories are the primary source of information and guidance for customers and the public regarding the security of our products and services. They include:
- Vulnerability descriptions
- Affected products and versions
- Impact and risk assessments
- Mitigation and remediation actions
- References and links
- Contact details
Our advisories are regularly updated and accessible.
We urge customers and the public to review our advisories and implement the recommended actions to safeguard their networks and systems.
At Nokia, we are committed to ensuring the security of our products and services, and we continuously strive to improve our security capabilities and performance. We believe that security is a shared responsibility, and we value the collaboration and trust of our customers, partners, suppliers, and the security community.
Together, we can create a more secure and connected world.
Our internally developed tools, integrated with third-party solutions, enable scalable management of DFSEC compliance, vulnerability risks, and open-source licensing.
- DFSEC Compliance Tool (DCT) tracks all product releases and supports adherence to DFSEC processes, regulatory standards, and customer requirements - helping manage both technical and business risks.
- Vulnerability Assessment and Management System (VAMS) is a centralized platform continuously updated with vulnerabilities, primarily from third-party and open-source components. It enables product teams to assess and mitigate risks effectively.
- Free and Open Source Software (FOSS) Tool ensures compliance with open-source license obligations for components used in our products.
Together, these tools provide comprehensive coverage of product security across the development lifecycle.
At Nokia, innovation drives everything we do - including product security.
To drive continuous advancement, we have established a structured innovation program that targets short-, medium-, and long-term improvements. This program brings together teams from across all Nokia departments and business groups, fostering collaboration and alignment on security priorities.
The program is focused on designing and implementing enhanced security processes that promote consistency, effectiveness, and scalability. It also encourages knowledge sharing across Nokia, enabling teams to leverage collective expertise and best practices.
This ongoing program is built as a continuous cycle of improvement, ensuring that our security posture evolves in step with emerging threats and industry developments.
Located in the heart of the US telecommunications industry, Nokia's ASTaR Lab Dallas, established in May 2022, is a groundbreaking facility.
This dedicated end-to-end 5G cybersecurity testing lab is the first of its kind, rigorously testing both Nokia and partner products against real-world attack scenarios using simulated attacks and penetration testing. This rapid threat verification ensures vulnerabilities are addressed swiftly, minimizing potential disruptions and protecting our customers.
The lab also serves as a testing ground for Nokia's own security portfolio. This commitment to proactive security testing demonstrates Nokia's leadership in securing the future of 5G networks.
