Every week, more than 300 new vulnerabilities affecting software systems are disclosed by security reporting services such as the Common Vulnerabilities & Exposures (CVE) database operated by the US National Institute of Standards and Technology (NIST).
If you develop embedded systems or embedded devices, keeping pace with the constant flood of new vulnerabilities, knowing which directly affect your products, and having the ability to quickly analyze them, is essential in keeping your products secure throughout their lifecycle.
At Embedded Linux Conference North America 2019 next week, you’ll have the opportunity to hear from open source embedded software security expert, Akshay Bhat, during his presentation titled, “Open Source CVE Monitoring and Management: Cutting Through the Vulnerability Storm.”
Following is the abstract of Akshay’s presentation.
A key aspect to maintaining device security is monitoring and addressing known vulnerabilities in open source software in a timely fashion. This presentation will help you get started with the process of monitoring CVEs, determining applicability, assessing the severity and finding fixes.
We take a deeper dive into some of the challenges in tracking CVEs due to NVD/MITRE feeds having incorrect/missing data, leading to missed vulnerabilities and a false sense of security. The problem is compounded by inaccuracies in scanning tools and the way fixes are tagged in build systems resulting in an alarming number of false positives.
We review the CVEs reported by cve-check-tool in Yocto and determine the root cause for inaccuracies. We also discuss techniques for mitigating the issues so that the entire community can benefit. This presentation will enable you to improve your device security posture.
If you are attending Embedded Linux Conference 2019, you can click here to save Akshay’s session to your schedule.
If you’re not attending, be sure to check back soon. We’ll have a post-event wrap up and discussion of the key takeaways from Akshay’s presentation in part 2 of this post.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.