Patch management remains a major headache for enterprises, according to researchers and security experts. With reported security vulnerabilities now climbing into the tens of thousands each year, busy IT departments struggle to identify and analyze the vulnerabilities that apply to their systems, and to manage all the patching needed to mitigate risks.
And the Internet of Things (IoT) poses even greater challenges for patch management.
If you develop devices with embedded systems for enterprises, how easy do you make patch management for the end-customers of your products?
Are your patch management support processes for your customers helping to ensure IoT security and cut the risk of data breaches in your customers’ production environments?
Patch Management for Embedded Systems
Part of the patch management challenge naturally is the visibility of the systems and components that are part of the products being deployed in customer environments today. For example, embedded system security best practices require that the software components in these systems are fully inventoried, such as in a software composition analysis producing a Bill of Materials, and that the versions of these components are known and compared against reported vulnerabilities.
Similarly, understanding which patches are available and should be applied for those embedded components, especially when critical security patches are released, is not going to be easy for the typically over-stretched IT staff at an enterprise to tackle on its own.
Here are best practice considerations for a device developer using embedded systems to help end customers improve patch management:
- Monitor vulnerability databases and reports: The Common Vulnerabilities and Exposures (CVE) database and accompanying security vulnerability reports and services should be regularly reviewed for reports about the components contained in a device.
- Assess vulnerability risk: Does the vulnerability pose an immediate threat of compromise for your devices in production deployment? For example, a vulnerability assessment could focus on whether an attacker could easily compromise a device or connected systems in the standard deployment configuration, or whether a successful exploit would be feasible only under rare or unusual circumstances.
- Mitigate and fix: If the vulnerability poses an immediate threat to a customer’s security, then an immediate mitigation notification may be necessary, such as advising customers to take the product out of production deployment temporarily until a patch is available. If the vulnerability does not pose an immediate threat of compromise, then notification of customers of the issue and pending fix, development of a patch and notification of customers of patch availability could be the right steps.
Timesys has been helping device makers bring products to market for the last two decades. We specialize in embedded Linux security, Internet of Things device security and embedded system security for open source software.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions including offerings that can help you to simplify and streamline the patch management process for your products:
- CVE Monitoring: Our CVE monitoring and notification service enables you to parse through the storm of CVE notifications to quickly focus on only those that affect your devices.
- Patch management: Timesys’ Security Vulnerability and Patch Notification Service alerts you when patches become available for your system’s embedded open source software components so that you can rapidly assess the risks and take the right course of action to protect your customers.
Contact us to learn more.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.