Every week, more than 300 new vulnerabilities affecting software systems are disclosed by security reporting services such as the Common Vulnerabilities & Exposures (CVE) database operated by the US National Institute of Standards and Technology (NIST).
These vulnerabilities run the gamut of low risk security concerns to critical issues. Some vulnerabilities can allow an attacker to take control of a company’s IT systems, gain access to sensitive information, even modify or otherwise compromise critical company operational processes and data.
Pressures to bring products to market faster mean that more and more products contain open source software components. But the question for system developers and manufacturers is how they will ensure their products containing these components are secure in light of the constantly evolving threat environment. Otherwise they can put their end customers at risk of catastrophic security breaches.
Architects and developers of embedded systems, Internet of Things devices and other IT systems using common open source components in their products typically expend many hours and resources in manually monitoring, analyzing and mitigating vulnerabilities.
Even then, many vulnerabilities are not tracked or fixed because of the complexity in matching new and previously found CVEs with all versions and configurations of a product and across all branches of the software.
But today’s heightened threat environment demands a more programmatic, automated approach to vulnerability management and embedded system security.
What to do?
The approaches for monitoring and maintaining product security boil down to four basic choices:
- Do Nothing: Unfortunately, as many industry observers have pointed out, the vulnerability management approach used in practice by many developers of IoT and other products is to do nothing. Ignoring vulnerabilities — or dealing with them only once they become a problem for end customers — is a very bad idea in today’s security environment. It opens your customers up to increased risk and exposes your company to liability.
- Manual Do-it-Yourself (DIY) processes: Some system developers devote extensive time and resources to manually monitoring, reviewing, assessing and fixing vulnerabilities. While better than doing nothing, this approach can consume many cycles of key technical staff. It also can be excruciatingly slow because of all the manual filtering, analysis, communication and mitigation planning that takes place on basically an ad hoc basis. And even when a manual process is working well, it can miss many vulnerabilities because of the sheer volume of data to take in and analyze.
- Manual processes augmented by tools: Some open source development resources can provide basic vulnerability scans that can identify CVEs associated with your projects. But testing shows that these systems have low detection rates and so your team is forced to cobble together a range of tools and manual processes to try to develop the most comprehensive and inclusive view of vulnerabilities.
- Vulnerability management automation: This approach recognizes that there are key aspects to security management that are consistent, repeatable steps that can be automated and form the basis of a security management process. So, for example, the regular periodic collection of vulnerability data, matching the data to identified software components, generating reports and alerts, and identifying patches that address known vulnerabilities are all steps that can be automated. The result is to significantly cut the amount of time expended by technical teams in monitoring and mitigating vulnerabilities.
Timesys has introduced the Vigiles vulnerability management and patch notification service as the industry’s most advanced offering for automating vulnerability detection and analysis and expediting security patch management and vulnerability mitigation.
Vigiles combines Software Composition Analysis (SCA) techniques with automated vulnerability monitoring features along with powerful collaboration and mitigation tools. The service streamlines embedded system security management by:
- Continuously and automatically scanning thousands of vulnerabilities and identifying those that affect a developer’s specific products via real-time on-demand vulnerability reports and a vulnerability dashboard.
- Allowing a developer to securely load a product manifest that identifies open source software components for security tracking, across all versions and branches.
- Providing collaboration, communications and mitigation planning tools that allow teams to triage, prioritize and work together on fixes to vulnerabilities.
- Automatically suggesting fixes for vulnerabilities based on identified patches for specific components to accelerate mitigation.
Vigiles: the ROI of automating embedded open source security management
Let’s assume you have a team of five developers responsible for three product software configurations in one product family.
The approximate cost for that team to manually execute the standard steps in a security management process include:
- Weekly monitoring of disclosures and notifications of vulnerabilities across various sources, around $20,000 per year per product configuration.
- Analyzing severity and vector, prioritizing the vulnerabilities, triaging them and investigating patches is about $28,000 per year per product configuration.
If we assume there is 50% commonality of components and versions across the three product configurations, this equates to an annual cost of $98,000 for this team to manage vulnerabilities manually. That does not include the actual patching and testing of the product configurations once a mitigation plan has been created.
In contrast, Vigiles’ automation of vulnerability monitoring, management and identification of suggested fixes can eliminate manual steps at an annual service fee of $10,000 in this scenario. That equates to about a 90% reduction in costs while producing a higher rate of accuracy and accelerated mitigation.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.