A giant list of vulnerabilities does little to help you bring more secure products to market.
What matters is how you filter the list, triage the vulnerabilities, and mitigate the ones that pose the greatest risk.
That’s why the new enhancements to our Timesys Vigiles Security Monitoring & Management Service will enable you to develop more secure embedded system products today and maintain stronger product security throughout their lifecycles.
More than 300 new vulnerabilities affecting software systems are disclosed every week by services such as the Common Vulnerabilities & Exposures (CVE) database maintained by the US National Institute of Standards and Technology (NIST).
The huge number of CVEs becomes a problem as hackers look to exploit embedded systems that contain exposed and unfixed vulnerabilities. Gartner reports that attackers are increasingly targeting open source components, essentially getting a foothold earlier in the software supply chain.
This means that downstream product makers who incorporate open source components into their products may be exposing their products and customers to potential compromise.
Vigiles is optimized for vulnerability management and mitigation for embedded systems and will identify CVEs that affect these potentially compromised open source components in your software.
Vigiles automatically filters through the mass of vulnerabilities to enable you to focus on those affecting your products. Features include mitigation collaboration tools and suggested fixes to streamline remediating vulnerabilities.
This week’s Vigiles announcement focuses on:
New Software Composition Analysis (SCA) features
Vigiles’ SCA functionality will automatically generate a Software Bill of Materials (SBOM) for Yocto, Buildroot and Timesys Factory projects.
Now you can understand which open source third-party components are in your products and which vulnerabilities pertain to them. Features include detailed CVE reports, trend reports, summaries and a searchable vulnerability database.
Enhanced CVE Remediation
CVE investigation and mitigation are accelerated with Vigiles’ CVE filtering, triage and team collaboration tools. Vigiles filters CVEs based on a project’s Linux kernel configuration and U-Boot configuration, which eliminates CVEs based on features not being used. This reduces CVE investigation and triage tasks by 75 percent on average.
CVE remediation is expedited because Vigiles automatically identifies “suggested fixes” such as patches or updates of components that will mitigate vulnerabilities.
Developer-Driven CVE Mitigation
The latest enhancements of Vigiles enable broader integration with embedded system software development tools. The SBOM management feature provides end-to-end workflow support for developer-driven vulnerability tracking, investigation and fixing.
These enhancements ensure products are developed using the most up-to-date components at the outset. Security is more efficient because Vigiles’ CVE detection and mitigation features enable your development team to focus on only the vulnerabilities that matter and address them quickly.
Superior Vulnerability Data
Vigiles delivers superior, highly accurate vulnerability data, augmenting the feed from the National Vulnerability Database (NVD) with multiple additional vulnerability feeds. The Timesys security team curates vulnerability data, which reduces false positives and produces a 40 percent improvement in data accuracy compared to the NVD.
You can receive expedited notification of newly reported vulnerabilities as much as four weeks earlier than from the NVD.
Free Version Available
Vigiles is available in three versions including a free service providing basic vulnerability monitoring. Learn more: https://timesys.com/security/vigiles-vulnerability-monitoring-patch-notification/
NXP Webinar
Developers can learn more about Vigiles during a webinar presented by NXP Semiconductors on Thursday, April 23, 2020. More details and registration at: https://register.gotowebinar.com/register/8752978278724023053
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.
What about the vulnerabilities that are not listed Common Vulnerabilities & Exposures (CVE) database that is maintained by the US National Institute of Standards and Technology (NIST)? How does your software service handle this particular scenario?
Ideally all vulnerabilities should be reported and tracked in the NIST NVD database. There is some recent effort going on to coordinate various databases (see: https://static.sched.com/hosted_files/ossna2022/8e/FutureOfCVE.pdf) to reduce duplication and increase coverage. For the customers who are interested in tracking and fixing vulnerabilities outside of NVD, Timesys offers custom services under our Linux OS / BSP maintenance service (https://www.timesys.com/solutions/linux-os-bsp-maintenance/)