As the flood of vulnerabilities continues to rise, attention is turning to how embedded system products can be made more secure.
Almost 20 years ago, the concept of security by design was a popular new trend in software development. The focus on baking in security at product design stages was driven by the massive rise in on-line applications, e-commerce features and other Internet-connected, web-enabled software.
As these systems and applications were deployed and became widespread, the expanding attack surface made them attractive targets for attackers looking to steal user information and financial data. So naturally the industry’s response was to rethink and reinvent security in the new threat environment. That meant defining best practices for creating more secure applications at the design stage.
Fast forward to today, and there is a resurgence in interest in designing more secure products.
This time around, the interest is spurred by record-setting numbers of vulnerabilities being reported and the frequent high-profile breaches hitting companies of all types in all sectors. At the same time, the Internet of Things (IoT) and related smart product areas are significantly increasing the numbers and types of smart connected systems in deployment.
These two forces are combining to drive renewed interest in “security by design” as a concept and, more specifically, how secure design principles can be applied to the development of IoT devices, smart devices and other embedded systems.
Looked at another way, publicly disclosed vulnerability counts in 2018 are running at a multiple of seven times what they were 15 years ago. The rising volume of Common Vulnerabilities and Exposures (CVEs) alone should be reason enough for every device and embedded system developer to take a hard look at improving system security.
Secure by Design
Over the past 20 years, our team at Timesys has helped device makers, embedded system developers and others to bring their products to market more efficiently. Along the way, we have seen a range of best practices for making products more secure at the design stages. Some of them are:
-
Secure boot: Is your system protected against attackers introducing malicious code into the boot process? Secure boot will verify software authenticity before it is executed, blocking this common attack vector used to compromise systems in an essentially undetectable way.
An effective secure boot process will establish a chain of trust that verifies software authenticity from the bootloader up to user applications.
-
Device vulnerability assessment: An essential part of secure design for embedded systems is to assess your product’s attack surface and find ways to reduce it. This calls for what amounts to a vulnerability assessment that takes into account the vectors an attacker could use to get into the system, manipulate and control it, and extract data from it.
This assessment also should evaluate the components making up your system and any published vulnerabilities that pertain to them. To conduct a thorough assessment requires a comprehensive software bill of materials that includes an open source software inventory.
-
Device hardening: The next step after assessing your device’s attack surface is to focus on the desired security posture. The concept of a security posture often is used to describe how an organization and its IT systems are configured to protect data and processes. When the concept is applied to a device or an embedded system, it often means engaging in “device hardening.”
A device hardening project may involve assessing potential avenues of compromise and blocking them by adjusting the device configuration, access controls, connectivity, authentication and other functions. Hardening also involved limiting the damage an attacker could do if they gain unauthorized access to the device.
-
Vulnerability monitoring & management: There are more than 300 vulnerability notifications being disclosed every week in 2018. From a product design standpoint, it’s important that a product developer can provide patches and software updates in a timely way for customers in production.
That in turn means a product developer should be able to conduct CVE monitoring, focus on the CVEs that affect their systems, and push out mitigation guidance and patches to customers as quickly as possible for high-risk vulnerabilities.
Try Timesys TRST
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will assist you with adopting “secure by design” principles while bringing your secure products to market faster. We have captured the industry’s best practices for embedded system security, embedded Linux security, IoT security and open source software security.
Our Secure by Design offerings help you to conduct device security assessments, implement secure boot, harden devices and ensure they can be updated for strong security in deployment.
Contact us today to learn more.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.