Securing your embedded system devices is no longer just a final step in product development.
Security today must be a continuous process, a focus at every stage of your software development, release and maintenance cycles.
That’s because today’s vulnerability environment is radically different from the past. Hundreds of vulnerabilities that may or may not affect your products come to light every week.
Which ones pose the greatest risk of a damaging exploit?
Which ones are less pressing and can be addressed later when cycles permit?
Which ones can be safely ignored altogether?
Answering these questions is part of a security technique called “triage” and it’s an essential step in product security. It involves assessing the risk of vulnerabilities and prioritizing how they will be addressed.
Triage was the focus of an in-depth webinar we presented with our partner, NXP. We outlined best practices for managing the security of Yocto-based BSPs supporting NXP-based devices.
Why is triage so important for maintaining secure products?
The reason has to do with managing risk and prioritizing vulnerability mitigation.
Vulnerability Risk Assessment
The risk exposure posed by a given vulnerability for your device depends on a lot of factors.
For example, some vulnerability exploits take advantage of remote device access features. But if your device is air-gapped and not connected to an externally accessible network, or if remote access features are not activated on it, the possibility that such vulnerabilities will be exploited are almost nil.
So the type of connectivity, software update procedures, integration with other systems, software package configuration, and other deployment options will determine whether your device can be compromised by an attacker.
The challenge lies in assessing each of the hundreds of vulnerabilities that is reported each week. The database of Common Vulnerabilities and Exposures (CVEs) maintained by the US government is only one repository of vulnerability data that is constantly being updated.
Considering how many third-party components now exist in the typical BSP, this can be a huge undertaking if you do it manually, comparing each component and version in your product to the vulnerability notifications.
Thankfully, vulnerability filtering can be conducted via a tool such as the Vigiles Vulnerability Monitoring and Management service. Our webinar with NXP will include an overview of how Vigiles filters CVEs based on your product’s Software Bill of Materials (SBOM).
An important aspect of the triage process is the accuracy of the vulnerability information. Less accurate reports will result in more time spent on triaging. On this note, many vulnerability detection tools will produce false positives. This might involve flagging your software as being exposed when in fact the vulnerability does not apply to your version. Our curated Vigiles vulnerability database eliminates the vast majority of false positives thanks to our curated vulnerability tracking processes.
Once you have filtered out irrelevant vulnerabilities and false positives, you can focus your triage process on analyzing and understanding the level of risk each vulnerability poses to your particular product.
Then you can assess the right order for your team to work on mitigating the vulnerabilities.
The word “triage” in its common definition refers to a hospital emergency room or other setting involving urgent medical care. A disaster or other calamity may cause a large number of injured people to arrive for care simultaneously. Because the number of medical professionals at a facility is limited, the capacity for care can be quickly exhausted in such a situation.
So how do these medical teams make sure attention is paid to those most urgently needing care that can be delivered effectively in that setting? An emergency room cannot simply treat all these people on a “first come, first served” basis because that method does not prioritize patients based on needs and the ability of the facility to address those needs effectively.
So triage is the method used for assessing and ranking issues to prioritize attention and effort.
The same basic concept applies to vulnerability mitigation. If you simply were to go through the mass of vulnerabilities in the order in which they were received, you might make progress with addressing them. But you most likely would not be addressing those posing the most risk in a timely way.
Vulnerability triage then becomes an essential part of vulnerability management. It should take place before anyone is assigned to work on mitigating any vulnerabilities in a given batch of them.
To manage this efficiently, a BSP maintenance process should include tools that enable a team to collaborate on the evaluation and prioritization of vulnerabilities. Our Vigiles service provides the ability to do exactly that, letting a team coordinate and communicate the tasks, findings and plans around identified vulnerabilities.
On August 27, NXP and Timesys conducted a webinar, “Best Practices for Triaging Common Vulnerabilities & Exposures (CVEs) in Embedded Systems” that explored triage best practices further. You can view the on-demand recording here: https://www.nxp.com/design/training/best-practices-for-triaging-common-vulnerabilities-and-exposures-cves-in-embedded-systems:TIP-BEST-PRACTICES-FOR-TRIAGING-COMMON-VUL
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.