The vulnerability storm continues unabated.
The count of security vulnerabilities has reached another annual record, with six weeks remaining in the calendar year. This week the number of Common Vulnerabilities and Exposures (CVEs) hit 14,722, eclipsing last year’s total of 14,714, according to the tracking totals at CVE Details.
Continue reading “Another record year in vulnerabilities as the CVE storm continues” »
Security of smart devices is getting worse, says a penetration testing expert, who blames suppliers of connected devices that ignore security and privacy issue notifications.
Is the answer more security regulations and laws, or is it better product strategy?
Computer Weekly reported this week on security expert Ken Munro’s comments in a conference presentation in which he blasted many embedded system suppliers for not seeming to care about securing their products.
Continue reading “Will more embedded device makers fix security before massive fines force them to do it?” »
Patch management remains a major headache for enterprises, according to researchers and security experts. With reported security vulnerabilities now climbing into the tens of thousands each year, busy IT departments struggle to identify and analyze the vulnerabilities that apply to their systems, and to manage all the patching needed to mitigate risks.
And the Internet of Things (IoT) poses even greater challenges for patch management.
Continue reading “Patch management for better embedded system security” »
The Yocto Project is well known for enabling product developers to quickly and easily customize Linux for Internet of Things (IoT) devices and other embedded systems. But today’s environment is marked by heightened security concerns, skyrocketing vulnerability reports, and high-profile security breaches.
Getting your embedded system product to market fast is important. But getting to market fast without a secure design and a plan for managing future vulnerabilities is a huge mistake. If you design, build and support products with embedded Linux using Yocto, it’s important to evaluate security of your system from the point of view of the end customer who will deploy it.
Continue reading “Monitoring and managing vulnerabilities for embedded systems built with Yocto” »
A classic security breach vector involves exploiting weak authentication. As security researchers like to point out, failing to change default passwords for administrative access remains the top security issue for all types of IT systems.
But a related — and perhaps more devious — attack vector involves exploiting a weakness in a process that is supposed to help ensure device security in the first place: the remote system update.
Continue reading “Security vulnerabilities and medical devices: when the software update itself is the problem” »
Embedded system products are often deployed by IT managers struggling with a longstanding tradeoff: Should you sacrifice IT performance to make IT more secure?
The performance-or-security tradeoff has been the subject of technology research and industry analysis for many years. The analysis often focuses on issues like network performance or business application performance and how security measures may impede or otherwise affect throughput or access. Continue reading “Embedded system security and the IT performance tradeoff” »
Researchers and the technology media are reporting that the average application now contains more open source software components than proprietary code. And the use of open source components in embedded systems such as Internet of Things (IoT) devices likewise is on the rise.
How is this trend affecting awareness of embedded system security and open source security best practices? If you bring embedded system products to market with open source components, how do these systems affect your customers’ security postures?
To evaluate these questions, it helps to explore how enterprises test and measure the security of IT systems.
Continue reading “Security testing of embedded open source systems creates a stronger enterprise security posture” »
We’re on the verge of setting another annual record in the number of security vulnerabilities being reported. And more and more vulnerability exploits are targeting the Internet of Things.
Botnet exploits are going after IP cameras. Smart home technologies are being hacked. Even children’s toys are being hacked and used for covert surveillance. And in one bizarre case, hackers gained access to a casino’s systems through a smart thermometer in the lobby fish tank.
But these cases raise the question of what really is a vulnerability?
Continue reading “Security vulnerabilities and the Internet of Things” »
The number of security vulnerabilities continues to skyrocket. After setting a record last year, the number of reported Common Vulnerabilities and Exposures (CVEs) is on pace to set yet another record this year.
In 2017, more than 14,000 CVEs were reported, affecting a vast range of devices, systems and applications. So far in 2018, more than 12,000 CVEs have been reported, and if that pace continues, we should move past last year’s record number in the next two months.
Continue reading “Vulnerability management for Internet of Things and embedded systems” »
IoT device security vaulted into the public consciousness in recent years. Media coverage of successful attacks against IoT devices and supporting systems, botnets powered by compromised devices, and a range of other security issues have raised public concern.
But now California is on the verge of enacting the first actual law in the US to mandate IoT device security.
Unfortunately, according to some in the industry, the bill now awaiting the governor’s signature will do little in its present form to improve the security of IoT, or the companies deploying it, or the people using it.
Continue reading “Laying down the law on IoT security” »