The vulnerability storm continues unabated.
The count of security vulnerabilities has reached another annual record, with six weeks remaining in the calendar year. This week the number of Common Vulnerabilities and Exposures (CVEs) hit 14,722, eclipsing last year’s total of 14,714, according to the tracking totals at CVE Details.
CVEs are being added this year at a rate of more than 300 per week on average. If that pace holds, the total should rise by another 2,000 CVEs by year’s end. This means that the vulnerability rate is nearly triple what it was 10 years ago. What does the continuously rising total mean for companies that develop and bring to market embedded systems in this environment?
Vulnerability Management for Product Developers
From a product line management point of view, vulnerability management entails tracking and responding to vulnerabilities that affect your products, both those still in development and those already on the market. So, depending on your particular type of product, this may include the continuous monitoring of vulnerabilities such as in a vulnerability database, tracking security patches issued by component suppliers, and putting in place mitigation to cut the risk of a vulnerability being exploited.
Strictly speaking, the CVE listing published by MITRE is not a vulnerability database like the NIST National Vulnerability Database or the proprietary vulnerability databases offered by some companies. In contrast to standard vulnerability databases, MITRE’s CVE listing doesn’t contain detailed information about the risk associated with a given vulnerability or the mitigation of it. Instead, the CVE list acts as an index of known vulnerabilities that can permit organizations to link these vulnerabilities to the systems that can be affected, so that appropriate mitigate steps, patches and other responses can be planned, coordinated and executed quickly.
You can look at the CVE as a common repository of vulnerability details that should be a jumping off point for your more involved vulnerability management process.
Best Practices for More Secure Products
To that end, here are the best practices that our customers follow in vulnerability management:
1. Vulnerability monitoring
Tracking vulnerabilities often involves subscribing to notification lists, monitoring security research web sites, and staying up-to-date on your component vendors’ security disclosures and patching notifications.
With the majority of products on the market incorporating many different software components, including many open source components, this means a lot of data sources need to be tracked and monitored on a continuous basis.
2. Vulnerability filtering
Only a fraction of the vulnerabilities being publicly disclosed will likely apply to your products, so a portion of your vulnerability management process should focus on sifting through the reported security issues to narrow your focus to those that pertain to the components in your products and the affected versions of those components.
Naturally, to properly analyze this, you also need to have a clear and accurate inventory of components in your products, such as a software bill of materials produced by an open source software scan and analysis.
3. Vulnerability assessment
For the purposes of product line management, the process of vulnerability assessment means analyzing your identified vulnerabilities, evaluating the known exploits that take advantage of them, and then assessing the risk and impact of a security breach that could result.
So your assessment will focus on questions such as whether the affected component is exposed to external access and could be exploited by an attacker.
4. Mitigation
Mitigation involves determining how a vulnerability that poses a security risk can be eliminated or addressed on at least a temporary basis to lessen the breach exposure for your customers. This means mitigation may involve modification of a device configuration in production, a security patch or even a customer advisory directing temporary suspension of product usage until a patch is available.
Another consideration is how a device is deployed and the function it serves, such as in a medical device security context. As was illustrated in the recent Medtronic pacemaker security issue, the software update process itself may be the attack vector by which an attacker could exploit a vulnerability. So the mitigation in that case was for the remote product update service to be deactivated until the security patch could be applied.
5. Patch management
Ultimately a large percentage of vulnerabilities result in the product manufacturer or software component maker issuing a security patch. So patch management is an important part of security maintenance and it should be aligned to the rest of your vulnerability management process.
So, for example, the immediate mitigation of a product with a serious security vulnerability representing a high chance of a breach may be to take it out of production deployment until a patch can be applied.
At Timesys we have two decades of helping device makers bring their products to market, most recently with Internet of Things (IoT) and similar smart devices. In that time, we have seen embedded system security become more important and as more of our projects focus on embedded Linux security, IoT security, and open source software security.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will assist you with cutting through the continuing storm of vulnerabilities to focus on those that matter to you and your customers.
Our solutions include:
- CVE monitoring: Our CVE monitoring and notification service enables you to filter through the mass of CVE notifications to quickly find those that affect your devices. By focusing on only those that matter, you will be able to be more efficient while reducing the risk that your customers will suffer a security breach.
- Patch management: Timesys Security Vulnerability and Patch Notification Service notifies you about available patches for your device’s embedded open source software components.
Our highly experienced team is standing by to help you to cut through the CVE storm and bring more secure products to market faster.
Contact us today to learn more.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.