Effective product security starts with good product management.
And a good product manager recognizes that product security does not stop with secure design.
Effective security demands monitoring, tracking and acting on vulnerabilities on an ongoing basis throughout the product lifecycle.
A dedicated product management approach to vulnerability management is really the only way to ensure that your end customers are not exposed to breach risk over time.
Playing Cybersecurity Whack-a-Mole
There’s an old saying in the enterprise IT security space:
What this means is that an enterprise IT department’s cybersecurity defenses need to be constantly updated, reflecting the latest safeguards against the latest exploits.
But a cyber-attacker who decides to make that enterprise her target can probe for weeks until she finds that one unpatched server or device. Then the attacker is inside and all bets are off.
Any week, hundreds of vulnerabilities will be disclosed that may affect any number of systems in production. The next week, a different vulnerability batch may affect different systems. It’s a game of constant monitoring and assessment.
The more systems and subsystems or components are deployed in the enterprise environment, the greater the likelihood of security gaps, delayed patching, access misconfigurations, poorly documented software components, and so on.
So the question a good product manager will ask is: “Am I making it easy for my customers to maintain a strong security posture with my products?”
The CVE Storm
We’re in the midst of a storm of vulnerabilities showing little sign of letting up.
The web site CVE Details reported 16,555 vulnerabilities in 2018, based on the Common Vulnerabilities & Exposures list and compiled in the U.S. National Vulnerability Database.
That’s a 12.5% increase from 2017, which in turn was more than double the CVE count in 2016. More than 112,000 CVEs in total have been logged in the last 20 years.
Cutting through the CVE storm to focus on what really matters is of course a central requirement for effective vulnerability management over the product lifecycle.
Determining if a CVE really matters requires your team to have a current software Bill of Materials (BOM) identifying all components and all versions so that CVEs or vulnerabilities from other sources can be matched and compared.
Once a CVE is determined to relate to a given software component in your product, your next steps may be:
1. Assessing severity & impact
The National Vulnerability Database includes the Common Vulnerability Scoring System (CVSS), providing a quantitative scoring for vulnerabilities that can help guide product developers and managers in determining the level of risk and urgency represented by a CVE.
But a comprehensive assessment must of course consider the production deployment aspects of your product, including issues like expected deployment environment, connectivity, access controls, and deployment with respect to security architecture, such as inside or outside a cybersecurity DMZ.
2. Temporary mitigation steps for immediate risks
If a critical CVE poses an immediate threat for your customers in deployment, the proper temporary mitigation steps may involve an immediate notification with a short-term fix, such as taking the system out of production, turning off remote access or automatic updates, and similar steps.
3. Is there a patch or update?
Once immediate risk has been addressed, the next steps involve reviewing available component updates and patches to determine if the CVE is addressed. If no immediate patch is available, you may be in the position of monitoring patch availability until one that fixes the CVE is released.
4. Patching & testing
Applying a patch to permanently mitigate a given CVE must of course be followed by testing of the product to ensure functionality or performance are not adversely affected. In some cases, this phase may require extensive development and code updates, with additional test cycles as updates are applied.
5. Release & maintenance
Release to customers of a patch and system update to accommodate it must be followed by ongoing monitoring and maintenance with respect to existing and new CVEs into the future. In other words, “rinse and repeat.”
Scanners & Notifiers Streamline the Process
What if your product management team and developers could spend a lot less time sifting through hundreds of CVEs looking for those that apply to any of the many components in your systems?
What if all current and deployed versions of software components were continuously and automatically scanned and compared to new and previously reported CVEs?
What if all patches from upstream suppliers were immediately flagged for your team?
Those are the types of benefits available from Timesys’ CVE scanner and notifier and patch scanner and notifier services in our TRST Product Protection Solutions.
Our Security Vulnerability service conducts CVE monitoring for you. It scans security databases and mailing lists, highlighting vulnerabilities that apply to project build. The service categorizes vulnerabilities based on severity, streamlining your review and evaluation for mitigation.
Our Security Vulnerability Notification service includes vulnerability monitoring, and our Patch Notification service continuously tracks and identifies fixes produced by your upstream component suppliers.
You can add or update the meta-timesys-security laye to apply fixes to your software, and configure your recipes to selectively include only the patches you want.
Visit www.timesys.com to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.