Keeping the software updated and secure
Our customer was so pleased with the initial work Timesys did, that they came back to us for this critically important next step. Because their product is connected to a medical network, it is absolutely essential that it be protected.
They signed up for Timesys’ BSP Lifecycle Maintenance to maintain their Linux OS and BSP, knowing that Timesys performs maintenance in a way that rarely requires changes to the client’s application, and that they’d have the tools they needed for security monitoring.
We provided them with full array of security and maintenance solutions including: a private Git repository for the client’s Linux BSP source code, an initial software vulnerability report, one Linux BSP Maintenance Release per year, minor Linux kernel version updates for their board, integrating a meta-timesys-security layer into their custom Yocto to support root filesystem CVE fixes, RFS updates or patches, and documentation for deploying, running, rebuilding, and testing the delivered software.
This is all bundled with Vigiles Prime, a software composition analysis tool for generating on-demand reports of security vulnerabilities present in your Linux BSP. It allows users to assess the level of threat based on vulnerabilities in their specific deployed device with automated monthly security notifications.
Our initial software vulnerability report found 557 vulnerabilities: 63 critical, 227 high severity, 230 medium severity, and 21 low severity. This provides our client with the information they need to identify the most pressing vulnerabilities and take action where needed without wasting time chasing vulnerability ghosts.
The BSP Lifecycle Maintenance package also includes an emergency critical fix in the case of any catastrophic security events. Remember the Spectre/Meltdown zero-day exploit? In an event like that, Timesys can integrate an available fix and provide an emergency Linux BSP release.
And finally, Timesys’ BSP Lifecycle Maintenance helps them meet the FDA Guidance for Postmarket Management of Cybersecurity and software lifecycle processes.