As discussed in last week’s posting, central to the device maintenance process and keeping devices secure after they’ve been deployed is the ongoing monitoring and managing of CVEs that affect your product components. Therefore, it’s essential to have a clear view of relevant CVEs because there are many moving parts that need to be managed.
Adam Boone: Along those lines, you mentioned monitoring patches and software upgrades as one of the moving parts to be managed in a security maintenance program. What’s the challenge there?
Akshay Bhat: Patch management alone is always challenging, especially if you have a large number of open source components. You need to evaluate when to apply a patch, how the patch affects other components, what testing needs to be conducted, whether a patched component can be backported to earlier versions, and so on.
Continue reading “CVE Monitoring & Management: Timesys’ Akshay Bhat Offers Security Guidance for Embedded Open Source Systems Part 2” »
Timesys’ Director of Engineering, Akshay Bhat, presented a session on Open Source Security at the Embedded Linux Conference North America 2019 in August. For this two-part Q&A interview, our VP of Marketing Adam Boone asked Akshay to share his views on the challenges and best practices for maintaining security in Open Source Embedded System products.
Adam Boone: Why should product developers and engineering managers be familiar with CVEs and make an effort to monitor them?
Akshay Bhat: I think everyone recognizes it is important to bring products to market that are secure and that stay secure throughout their deployment lifecycles.
Continue reading “CVE Monitoring & Management: Timesys’ Akshay Bhat Offers Security Guidance for Embedded Open Source Systems Part 1” »
Every week, more than 300 new vulnerabilities affecting software systems are disclosed by security reporting services such as the Common Vulnerabilities & Exposures (CVE) database operated by the US National Institute of Standards and Technology (NIST).
If you develop embedded systems or embedded devices, keeping pace with the constant flood of new vulnerabilities, knowing which directly affect your products, and having the ability to quickly analyze them, is essential in keeping your products secure throughout their lifecycle.
Continue reading “Open Source CVE Monitoring and Management: Learn the Latest at Embedded Linux Conference 2019” »
Poor security of Internet of Things has led the US Federal Government to (again) consider legislation to force makers of IoT devices to improve security.
And the proposed bill comes on the heels of industry concern that IoT attacks against the US power grid are increasingly common and threaten public safety.
This week a bipartisan group of four US senators introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019.” An earlier version of an IoT security bill, introduced in 2017, went basically nowhere.
Continue reading “Here comes the ‘stick’ for IoT security … or can we self-police?” »
Effective product security starts with good product management.
And a good product manager recognizes that product security does not stop with secure design.
Effective security demands monitoring, tracking and acting on vulnerabilities on an ongoing basis throughout the product lifecycle.
A dedicated product management approach to vulnerability management is really the only way to ensure that your end customers are not exposed to breach risk over time.
Continue reading “Is vulnerability management a regular part of your product management? (Spoiler alert: It better be.)” »
System quality requirements have never been higher. But time-to-market pressures have also never been greater. How do you meet one without sacrificing the other?
Embedded systems users expect bug free, responsive and stable applications that provide the best user experience.
The consequence of failing to meet user expectations can result in more than just application abandonment. With the power of social media, it also can quickly lead to a tarnished brand, resulting in lost revenue opportunities from both current and future users.
At the same time, increasing competition and security issues are leading to shorter development and delivery schedules, and quicker deployment of product updates and security fixes. So application failure or releasing a product with major bugs is not an option.
Continue reading “Continuous Testing Delivers Quality with Faster Time-to-Market” »
Some product management decisions are hard. Product managers are constantly weighing trade-offs among time-to-market, functionality, competitive differentiation, development costs and other factors.
But some product decisions seem like no-brainers. Would you bring an IT product to market that puts customers at significantly increased risk of security breaches, privacy violations, potentially massive fines, and lawsuits?
“Of course not. That would be lunacy,” you can imagine the typical product manager as saying. Yet companies are shipping products every day that introduce this sort of risk into customer environments.
Continue reading “The Risks of a ‘Stale, Abandoned’ Product” »
The motivation of hackers sometimes can be plain as day. Other times, not so much.
As attacks on Internet of Things (IoT) devices and deployments escalate, it is important to understand what these attackers are trying to accomplish. Understanding these motives, after all, can help us to pinpoint why a security vulnerability represents a risk, to prioritize mitigation and defenses, and to focus responses to attacks.
Continue reading “Who is attacking IoT? What do they want?” »
This week we announced a new release of our TimeStorm Integrated Development Environment (IDE). TimeStorm 5.3.2 IDE is designed to streamline, simplify and accelerate the development of secure Internet of Things (IoT) and embedded Linux applications.
In an era of heightened awareness of embedded software security and device security risks, product developers need to be able to adopt security best practices without delaying the development and release of new products.
Continue reading “New IDE version produces shorter time-to-market for secure IoT devices and embedded Linux applications” »
Have you been developing embedded devices for years? Are you considering building your first operating system based product and looking at using embedded Linux? You are not alone.
Many companies that have historically been developing MCU based products are now being pushed by market and customer requirements to offer better, more feature-rich and more capable devices. In order to deliver the desired features, many new designs require a combination of MCUs and MPUs. Both of these are used in IoT systems to support cloud, gateway to edge functionality.
Continue reading “Ready to tackle embedded Linux MPU development with Windows … Do you know your options?” »