The Yocto Project is well known for enabling product developers to quickly and easily customize Linux for Internet of Things (IoT) devices and other embedded systems. But today’s environment is marked by heightened security concerns, skyrocketing vulnerability reports, and high-profile security breaches.
Getting your embedded system product to market fast is important. But getting to market fast without a secure design and a plan for managing future vulnerabilities is a huge mistake. If you design, build and support products with embedded Linux using Yocto, it’s important to evaluate security of your system from the point of view of the end customer who will deploy it.
Are you designing with security in mind?
Enterprises deploying IoT and similar embedded systems, such as industrial controls, often view security through the “CIA” prism. That means they consider:
- Confidentiality — can I ensure the privacy of the data my systems are processing or storing, especially when the data must be protected by law?
- Integrity — can I prevent data from being manipulated by unauthorized people, or detect when manipulation has taken place?
- Availability — can I ensure that my systems will make my enterprise data available and accessible when it is needed?
So enterprise IT managers who deploy and manage your devices and systems are most interested in ensuring those products provide the necessary tools and features for meeting these CIA requirements.
That seems simple enough in theory. We’ve worked with developers bringing thousands of products to market with more secure designs, capturing the industry’s Secure By Design best practices.
Timesys was a founding member of the Yocto Project. Our Yocto Café services and support enable you to accelerate your design and development projects using Yocto tools while giving you access to secure design strategies.
But what happens when the volume of vulnerabilities explodes, as we are witnessing today? How do you track, analyze and respond to vulnerabilities that apply to your devices in production? How do you cut through the “vulnerability storm”?
Coping with the Vulnerability Explosion
As of this writing in October, the number of vulnerabilities reported in 2018 has reached 14,127, almost the same level as for all of 2017, according to CVE Details. And 2017 was a record year, more than doubling the number of vulnerabilities in 2016, based on the tally of Common Vulnerabilities & Exposures reported in the US National Vulnerability Database.
You would need to monitor and analyze almost 40 CVEs every single day (including weekends) to keep up with this volume.
CVE volumes of this magnitude create a challenge for vulnerability management. How can you expect to effectively address the vulnerabilities that may affect your devices and put your customers at risk of compromise?
The problem only gets worse as you consider the explosion in device deployments in size and number.
Just like vulnerability counts have exploded, the number of smart devices containing embedded systems have ballooned in recent years. A vulnerability may affect thousands upon thousands of devices in deployment.
This is why Internet of Things device security has become a matter of increasing urgency. At Timesys, we work with leading device makers to implement the best practices for designing security into their systems and maintaining that strong security over the lifecycle of the products.
Vulnerability & Patch Management
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will assist you with making embedded products that are designed to be more secure from the outset. This is why product developers turn to us for Yocto support but also to ensure strong IoT device security for the resulting products.
But our solutions also enable you to maintain your device’s strong security posture throughout the product lifecycle. Offerings include:
- CVE Monitoring: Our CVE monitoring and notification service enables you to parse through the storm of CVE notifications to quickly analyze and act on those that affect your devices.
- Patch management: Timesys’ Security Vulnerability and Patch Notification Service lets you know about the available patches for your system’s embedded open source software components.
Together, these service offerings will enable you to focus on the security issues that matter and quickly deploy updates to fix them. The result is a more secure product and reduced risk that your customers will suffer a breach.
Contact us today to learn more about bringing more secure products to market faster.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.