Login   |   1.866.392.4897 |   sales@timesys.com English Japanese German French Korean Chinese (Simplified) Chinese (Traditional)
5 Lessons Learned From the Log4j Vulnerability…and How the Embedded Industry Can Be Better Prepared for the Next One

5 Lessons Learned From the Log4j Vulnerability…and How the Embedded Industry Can Be Better Prepared for the Next One

Subscribe to our RSS
Share this on Facebook
Share this on Twitter
Share this on LinkedIn

 

 

Log4j has set the security world ablaze. With the first vulnerability (CVE-2021-44228) ranked with a CVSS score of 10 — as high as the scale goes — everyone is paying attention.

It’s true that the embedded world appears to be largely unaffected: having reviewed nearly 50,000 Software Bill of Materials (SBOMs), we found that less than .05% of those reviewed use log4j. That said, there are still some major lessons to be learned from this historic attack.

  1. Have an accurate SBOM
    An accurate Software Bill of Materials (SBOM) is your best friend when working in vulnerability management. When news of a new CVE breaks, the quickest way to know whether your device has been affected is to have an accurate SBOM and scan it to determine if you need to take action. And it’s not just a nice-to-have — providing a purchaser with an SBOM is included as part of an executive order from President Biden earlier this year to improve the United States’ cybersecurity.
  2. Track vulnerability lists
    The National Vulnerability Database (NVD) is the largest source for vulnerability tracking, but it’s not the only one, nor is it always quickly updated. Tracking and cross-referencing multiple vulnerability lists is the best way to stay ahead of CVEs. Additional places to track CVE information include but are not limited to: Upstream mailing list, issue trackers, security bulletins, Debian/Ubuntu/RedHat security trackers, and SoC vendor advisories.
  3. Monitor consistently
    An accurate SBOM and knowing which lists to follow are all well and good, but only if you monitor the lists consistently. With approximately 350 new CVEs every week, they must be constantly monitored, ideally with alerts set up for the most critical CVEs.

  4. Consider specialized tools to give you an advantage
    Once you know you’ve been affected by a CVE, the work has just begun. How critical is it? Is there a patch? What CVEs need to be taken care of first? You can find a wide variety of tools for tracking, filtering, triaging, and even remediating vulnerabilities — all of which are needed to keep you one step ahead of cyber attacks. You can find an excellent list of Software Composition Analysis (SCA) tools with real customer reviews from Gartner here.
  5. Have a response plan ready
    Log4j caught a lot of companies by surprise. If this vulnerability has taught us anything, it’s that we need to be ready to respond when — not if — the next one strikes. When the news of the next major vulnerability hits, will you be scrambling for a solution, or will an early alert from your system mean you’re already applying fixes and protecting your customers?

There are plenty of security scanning tools available on the market, but Timesys Vigiles is the only vulnerability monitoring and remediation tool optimized for embedded. With Vigiles’ curated CVE database, continuous security feed based on your SBOM, powerful filtering, and easy triage tools, it puts you ahead of the curve and poised to take action.

Don’t get blindsided by the next major CVE — try a free 30 day trial of Vigiles Prime today.

Subscribe to our RSS
Share this on Facebook
Share this on Twitter
Share this on LinkedIn

 

Leah Simoncelli is the Digital & Community Engagement Manager at Timesys. Additionally, she runs a global pitch competition for hardware startups with Innovation Works, one of the most active seed stage investors in the country. She has over a decade of experience in marketing, management and communication and holds a BA from American University in Washington, DC.

About Timesys

Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.

Stay in your workflow with Command Line Interface for Timesys’ Embedded Board Farm

Stay in your workflow with Command Line Interface for Timesys’ Embedded Board Farm

Subscribe to our RSS
Share this on Facebook
Share this on Twitter
Share this on LinkedIn

 

 

Timesys’ Embedded Board Farm (EBF) lets you seamlessly access your hardware boards from anywhere as if it were right next to you. And we’ve just made it even easier and more convenient by adding our command line interface (CLI).

This provides embedded software engineers with two major benefits:

  1. Stay in your preferred workflow: the EBF CLI allows you to do all your work using your preferred tools (shell, emacs, vim, etc.) without opening a web browser. It allows you to easily open up remote serial debug sessions without having to look up networking information, as if the device was local. Just use your own terminal emulator with all of your preferred settings (colors, fonts, modifier keys, etc.).
  2. Automation: No more mundane steps to slow you down every time you build. You can easily write commands in a script and run a series of commands to automate your work.Want to see how? Take it from Kitty Drake:

The CLI provides access to these Embedded Board Farm functions for automation and integration with third-party tools like test automation frameworks like Fuego and CI systems like Jenkins:

  • Device Management
  • Console Access
  • Power Control
  • Hotplug Control
  • GPIO Access
  • Image Management
    • Netboot
    • SDCard Boot
    • USB Boot
  • SDCard and USB
    • Formatting and Partitioning
    • Backup
  • File Upload / Download from Device
  • Command Execution on Device
  • EBF Server File Management

Want to see how the CLI for EBF can enhance your remote work experience? Take a deeper dive into Timesys’ Embedded Board Farm here, and schedule a demo here: www.timesys.com/open-source-embedded/board-farm/#schedule-demo

Subscribe to our RSS
Share this on Facebook
Share this on Twitter
Share this on LinkedIn

 

Leah Simoncelli is the Digital & Community Engagement Manager at Timesys. Additionally, she runs a global pitch competition for hardware startups with Innovation Works, one of the most active seed stage investors in the country. She has over a decade of experience in marketing, management and communication and holds a BA from American University in Washington, DC.

About Timesys

Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.