Too often, it seems the first notification of a software vulnerability comes from an affected customer or the publicity surrounding a high-profile data breach. Then follows the mad scramble to mitigate the vulnerability, notify customers, update products in the field and so on.
This reactive approach to vulnerability management for your embedded system products simply doesn’t fly in today’s heightened vulnerability environment.
Instead, proactive vulnerability management is today’s industry best practice. Companies that develop and maintain embedded system products are increasingly making Security Maintenance a key focus for product maintenance and enhancement processes.
Join us at Open Source Summit + Embedded Linux Conference North America 2019 where our Director of Technology, Akshay Bhat, will present “Open Source CVE Monitoring and Management: Cutting through the Vulnerability Storm” on August 21.
Proactive vulnerability management boils down to questions of risk management.
Is it better to face the risk of a catastrophic security failure in one of your customers, with all the accompanying damage that entails?
Or is it better to identify vulnerabilities as soon as they emerge and give your team a running start toward addressing them, distributing fixes and protecting your customers?
Vulnerability Management Process Steps
Vulnerability management for embedded products can be broken into four primary steps that can be integrated into your product maintenance processes throughout your product lifecycle. Each step looks to answer several questions or address certain tasks that will enable your security maintenance process to proactively address vulnerabilities in an efficient way.
1. Vulnerability Monitoring & Filtering
Hundreds of new vulnerabilities are disclosed every week, such as in aa vulnerability database or listing service, such as the Common Vulnerabilities & Exposures (CVE) database operated by the US National Institute of Standards and Technology (NIST).
Tasks at the monitoring stage of vulnerability management look to ask:
- Are newly reported vulnerabilities relevant to our products in development or in maintenance?
- Which specific versions of our product software or third-party components in our software, are affected by a given vulnerability?
- Are older vulnerabilities now relevant to our products because of a change in the product, such as a component software update?
2. Vulnerability Triage & Prioritization
Once the relevant vulnerabilities in a given period of your product maintenance cycle have been identified, the next step is to assess the severity of them for your specific use cases and then prioritize fixing.
So, for example, a particular vulnerability may be given a high severity score under the Common Vulnerability Scoring System (CVSS) that is widely used for assessing vulnerability risk. But the attack vector of that vulnerability may not be exposed in your product, meaning its severity for your particular configuration is low.
Questions to answer at the Triage stage include:
- Which of the identified vulnerabilities are the highest risk for our customers and products, given product configurations, deployment modes, number of units in production deployment, and exposed attack vectors?
- Which vulnerabilities affect multiple of our products, or may be common across many versions of our products?
- Which vulnerabilities are believed to be already addressed by a patch from us or an upstream supplier?
- Which vulnerabilities appear to require new development or enhancements to fix? Can multiple vulnerabilities or multiple product lines potentially be addressed by a common enhancement or update or patch?
3. Analysis & Remediation Planning
Communication and clear division of tasks are the keys for efficient analysis and remediation of individual vulnerabilities. This requires tools that support collaboration and easy documentation sharing among users and across teams.
This type of collaborative analysis and planning is especially important if it is believed that a common patch may apply to fix a vulnerability across multiple product lines.
Questions being addressed at this stage include:
- Which known updates or patches for in-house or third-party software will address the vulnerability?
- Does the vulnerability require immediate steps to be taken by customers to reduce risk of an exploit or security breach? What are those steps and how should notification be conducted?
- If a vulnerability requires development work to fix, when can it be addressed in the development cycle and how will that impact other projects, testing, and so on?
- If a vulnerability demands generating the distributing a patch immediately, what are the requirements and plan for development and distribution?
The final step in an effective security maintenance process is the mitigation of the identified vulnerabilities.
Some mitigation steps may be temporary measures, such as notifying customers and requiring them to take a unit offline or change its configuration until a patch can be issued.
Other mitigation steps will be more involved, requiring development work, incorporating new versions of components into the system, testing, issuing updates, and so on.
Vigiles: automating vulnerability management for proactive security maintenance
Our Vigiles vulnerability management and patch notification service is the industry’s most advanced offering for embedded Linux security and for mitigating security threats to your products’ open source components.
The service streamlines embedded system and IoT device security management with features that address each of the security maintenance process outlined above, including:
- Real-time on-demand vulnerability reports and a vulnerability dashboard.
- Collaboration, communications and mitigation planning tools that allow your teams to triage, prioritize and work together on open source security vulnerability mitigation.
- Automatically suggesting fixes for vulnerabilities specific components to accelerate mitigation.
You can get started with Vigiles Basic today for free. Just click here to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.