Keeping embedded system products secure requires ongoing, constant monitoring and management of Common Vulnerabilities and Exposures (CVEs) throughout the production lifecycle.
With the constant flood of CVEs reported each week, you need to have a process for understanding the exposure of your embedded system devices to cybersecurity exploits. It is important to see how CVEs apply to your product so you can quickly address the vulnerabilities that pose the greatest risk.
During a recent webinar with our partner NXP, we discussed embedded system security and best practices for assessing CVE exposure and prioritizing mitigation through a vulnerability triage process.
If you missed the webinar, you can watch the replay here: https://www.nxp.com/design/training/best-practices-for-triaging-common-vulnerabilities-and-exposures-cves-in-embedded-systems:TIP-BEST-PRACTICES-FOR-TRIAGING-COMMON-VUL
The vulnerability triage process — an essential step in reducing embedded system cybersecurity risk — and the Vigiles Security Monitoring and Management Service offered by NXP were featured in the webinar.
During the event discussion, we received many questions about CVSS scoring and filtering, embedded Linux security, and other aspects of vulnerability monitoring and keeping Yocto-based BSPs secure with Vigiles.
Below are the top three questions asked during the webinar.
Q: Does CVSS apply to vulnerabilities in embedded devices similar to how it applies to web applications?
A: Yes. Common Vulnerability Scoring System (CVSS) scores have been in use for a long time in web programming when assessing security risks, and they apply in a similar way to embedded. When US National Vulnerability Database (NVD) analysts review a new CVE, they enter the base metrics of the CVSS.
Taking the attack vector component of the base metrics as an example, if your device is an IoT device, then the network attack vector is important to consider. If the embedded device is an air-gapped device, then physical/local attack vectors are important. Similarly, for headless devices without any local user access, local attack vectors can be ignored. Such filtering can be done using Vigiles.
In addition, the base metrics also provide the CVE impact in terms of confidentiality, integrity and availability. Depending on your product and organizational requirements, you can set the environmental metrics for the CVE to develop custom CVSS scores, enabling you to better reflect the risk and severity for your product. This is something which tools like Vigiles can help with.
Q: How is Vigiles different from the Yocto Project cve-check tool?
A: The Yocto Project cve-check tool allows for rudimentary security checks on the BSP. Unfortunately, the Yocto cve-checker lacks accuracy and coverage, and therefore, is not recommended for comprehensive, accurate security assessment.
Vigiles uses multiple sources of security feeds, apart from the NVD, and has a security team that curates the information to reduce false positives and improve coverage. When we compared Vigiles with Yocto cve-check, we found 40%+ security information either missing or reported wrong by cve-check.
Further, Vigiles is a complete end-to-end vulnerability management tool that provides:
- Email alerts for new vulnerabilities based on your preferred frequency.
- Intuitive prioritization and filtering mechanisms (kernel/U-Boot config filter, attack vector filter, CVSS filter, etc.).
- Complete vulnerability management workflow: history; exported reports in .pdf, .xls, and .csv formats; custom notes; whitelist, and comparison between builds/reports.
- Team collaboration/sharing.
- Links to applicable patches and recommends minimum version upgrades with relevant fixes.
All of the above is not possible using the Yocto cve-checker. You can find a full list of Vigiles features at https://www.nxp.com/docs/en/supporting-information/COMPARE-VIGILES-SECUTIRY_MONITORING.pdf
Q: How frequently is vulnerability information updated in the Vigiles database?
A: The Vigiles database is updated daily.
In alignment with the Vigiles database updates, daily is the most frequent cadence for security alert email notifications offered as part of Vigiles subscription.
You can learn more about the Vigiles Security Monitoring and Management Service at https://www.nxp.com/support/support/nxp-engineering-services/vigiles-software-keeping-your-linux-bsp-secure:VIGILES.
I encourage you to register for a Vigiles SBOM Manager account, and give Vigiles a try with your BSP at: https://timesys.com/register-nxp-vigiles/
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.