As the flood of vulnerabilities continues to rise, attention is turning to how embedded system products can be made more secure.
More than 20 years ago, the concept of security by design was a popular new trend in software development. The focus on baking in security at product design stages was driven by the massive rise in online applications, e-commerce features and other Internet-connected, web-enabled software.
As these systems and applications were deployed and became widespread, the expanding attack surface made them attractive targets for attackers looking to steal user information and financial data. So naturally, the industry’s response was to rethink and reinvent security in the new threat environment. That meant defining best practices for creating more secure applications at the design stage.
Fast forward to today, and there is a resurging interest in designing more secure products.
This time around, the interest is spurred by record-setting numbers of vulnerabilities being reported, the frequent high-profile breaches hitting companies of all types in all sectors, and the significant increase in the numbers and types of smart connected systems in deployment in the Internet of Things (IoT) and related smart product areas. In response to our ever-evolving digital ecosystem, the Biden-Harris Administration recently announced a National Cybersecurity Strategy that focused on secure-by-design principles.
These forces are combining to drive renewed interest in “security by design” as a concept and, more specifically, how secure design principles can be applied to the development of IoT devices, smart devices, and other embedded systems.
Looked at another way, publicly disclosed vulnerability counts in 2018 were running at a multiple of seven times what they were 15 years ago. According to Statista, “in 2022, internet users worldwide discovered over 25 thousand new common IT security vulnerabilities and exposures (CVEs), the highest reported annual figure to date.” The rising volume of Common Vulnerabilities and Exposures (CVEs) alone should be reason enough for every device and embedded system developer to take a hard look at improving system security.
How can “Secure by Design” principles help?
Over the past 20 years, our team at Timesys has helped device makers, embedded system developers, and others to bring their products to market more efficiently. Along the way, we have seen a range of best practices for making products more secure at the design stages, including the following four.
1) Secure Boot
Is your system protected against attackers introducing malicious code into the boot process? Secure boot will verify software authenticity before it is executed, blocking this common attack vector used to compromise systems in an essentially undetectable way.
An effective secure boot process will establish a chain of trust that verifies software authenticity from the bootloader up to user applications.
2) Device Vulnerability Assessment
An essential part of secure design for embedded systems is to assess your product’s attack surface and find ways to reduce it. This calls for what amounts to a vulnerability assessment that takes into account the vectors an attacker could use to get into the system, manipulate and control it, and extract data from it.
This assessment also should evaluate the components making up your system and any published vulnerabilities that pertain to them. To conduct a thorough assessment requires a comprehensive software bill of materials that includes an open source software inventory.
3) Device Hardening
The next step after assessing your device’s attack surface is to focus on the desired security posture. The concept of a security posture often is used to describe how an organization and its IT systems are configured to protect data and processes. When the concept is applied to a device or an embedded system, it often means engaging in “device hardening.” According to techopedia, “hardening refers to providing various means of protection in a computer system.”
A device hardening project may involve assessing potential avenues of compromise and blocking them by adjusting the device configuration, access controls, connectivity, authentication and other functions. Hardening also involved limiting the damage an attacker could do if they gain unauthorized access to the device.
4) Vulnerability Monitoring & Management
There were more than 300 vulnerability notifications being disclosed every week in 2018. From a product design standpoint, it’s important that a product developer can provide patches and software updates in a timely way for customers in production.
That in turn means a product developer should be able to conduct CVE monitoring, focus on the CVEs that affect their systems, and push out mitigation guidance and patches to customers as quickly as possible for high-risk vulnerabilities.
Try Timesys VigiShield: Secure by Design
Our VigiShield Secure by Design solution will assist you with adopting “secure by design” principles while bringing your secure products to market faster. We have captured the industry’s best practices for embedded system security, embedded Linux security, IoT security and open source software security.
Our VigiShield offerings help you to quickly employ device security features, implement secure boot, harden devices and ensure they can be securely updated for a strong security posture in deployment.
Contact us today to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.