A Timesys Deep Dive Embedded Systems Newsletter

February 2023

Cybersecurity in the News: "Bringing back the stack attack"

According to the Project Zero team at Google, a complicated bug (CVE-2022-37454) found in the Linux kernel’s memory management (MM) subsystem can “allow a broad spectrum of uncontrolled arbitrary write primitives to achieve kernel code execution on x86 platforms.”

“While it is possible to mitigate this exploit technique from a remote context, an attacker in a local context can utilize known microarchitectural side-channels to defeat the current mitigations.”

Need more info on these vulnerabilities?

With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?

We launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.

Take me to the CVE Dashboard

4-Day Crash Course

Timesys hosting the “Sick and Tired of Vulnerabilities” Embedded Linux Yocto Developer SBOM & CVE Webinar Crash Course

Next week, Timesys is excited to host a FREE 4-day crash course webinar series on how to combat false-positive CVEs, bad SBOM data, and a tedious mitigation process! Across the four days, in just 50 minutes each day, we’ll go over:

  • Different SBOM options, how you can generate them, and which methods and formats actually matter for embedded Linux devices
  • How to master the data presented in CVE listings, find all the relevant and related information, know what to look out for in the data that will mess up your process, and keep up with new CVEs
  • A three-step process for prioritizing vulnerabilities with frameworks for efficiently classifying your CVEs, and a workflow that you can use for your initial triage and ongoing maintenance as well
  • And how to leverage automation and see what kind of impact your tool choice has on your process

The 4-day crash course will begin on Tuesday, March 7th. If you miss a day, no worries! We’ll be sending daily recordings of the sessions to anyone that registers along with bonus materials.

You can find out more details about the series and save your free seat below:

Updates Coming Soon

Sneak Peak at Vigiles 1.0 Enterprise Release

In even more exciting news, Timesys will be launching the Vigiles Enterprise 1.0 release next month! The latest update to our industry-leading Software Composition Analysis (SCA) tool includes features such as a Single Sign-On (SSO) functionality, Groups Functionality, Role-Based Access Control, and more. 

Vigiles Enterprise 1.0 will make it easier than ever for your team to collaborate securely within your organization and with external clients. With our new group structure, you’re able to restrict access on a as-needed-basis and with our Role-Based Access Control, you can manage user permissions with ease. 

In addition, Vigiles Enterprise 1.0 comes equipped with the latest LinuxLink features, support for CycloneDX, SPDX, and SPDX-Lite, and a new search feature, providing you with even more powerful analysis tools than before.

Stay tuned for more details on Vigiles Enterprise 1.0 next month!

Learn with Timesys

Yocto Security: Automating compliance using OpenSCAP

How do you automate compliance using OpenSCAP (Security Content Automation Protocol) and how does this help protect your systems from vulnerabilities?

In the following blog, we provide a starting guide for SCAP on embedded/IoT Linux devices using Yocto project as an example, and review how you can scan your system for compliance, interpret SCAP content, and use pre-existing compliance checks and profiles to establish a security baseline.

 

Upcoming Events

Events Around the World You Don’t Want to Miss

4th Annual Medical Device & Diagnostic Cybersecurity Conference

Sheraton Brussels Airport Hotel, Belgium

March 1 – 2

For the fourth year in a row, this dual-track conference features exclusive dedicated interactive sessions that will provide new insights and latest development on medical device software, safety, and security. Join Timesys for an exciting roundtable discussion on how to rethink and overcome cybersecurity challenges!

Vulnerability Management for Embedded

Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM

March 23 @ 12 PM EDT / 9 AM PT

In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:

– Why you need to manage your open-source software risks 
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!

 

Subscribe to our newsletter so you don’t miss a thing.