The product development and release maintenance cycle has many predictable elements.
You know you will face time constraints for engineering to develop, test and prepare the product for production release based on the product roadmap and schedule. You’ll likewise face constraints around engineering resources, including the people and tools needed to hit the development targets.
And once a product is launched and in production, your product maintenance, enhancements, routine bug fixes, and similar tasks can generally be scheduled and planned with some accuracy.
But the wildcard in maintaining products over time is security.
Many factors can affect how critical a particular security issue is for your products. That means many factors come into play when determining how urgently a given issue needs to be addressed, and how much of your team’s time and effort will be needed.
The process itself is driven by external events entirely out of your control:
- What happens if a new vulnerability emerges that affects your product or one of its components and puts customers at risk?
- What happens if a new exploit emerges that takes advantage of an old vulnerability that previously was not a priority to fix?
- Almost all products today contain numerous open source components, integrated into the products to cut development time and reduce time to market. But how do you know if these open source components are secure, or if they are affected by any of the hundreds of vulnerabilities released each week? In other words, how do you manage the security of your software supply chain?
How will you know if any of these things happens? How will you get enough information for your team to do an adequate security assessment to plan appropriately?
Answering these questions is central to a Security Maintenance Process that can keep your products secure throughout their lifecycles.
In our work with the developers of open source embedded systems across the industry, we have identified three essential tasks that should be part of a security maintenance process.
Task 1: Vulnerability monitoring
Identifying any vulnerabilities that affect your specific requirements demands two things.
First, you need an accurate inventory or software bill-of-materials of your product’s software.
Second, you need a way to continuously monitor and filter vulnerability notices based on your product’s actual contents.
In some cases, this amounts to manually monitoring a vulnerability database or listing service, such as the such as the Common Vulnerabilities & Exposures (CVE) database operated by the US National Institute of Standards and Technology (NIST).
But with hundreds of new vulnerabilities being identified and release every week, this type of monitoring can be extremely time-consuming. You need to actively compare the CVE with each component in your products based on affected versions, and also run such comparisons for products already deployed in production in customer environments.
The key to conducting vulnerability monitoring in a more manageable and efficient way is to automate the analysis of an inbound vulnerability feed to filter it based on the actual contents of your products, including previous versions in production.
Our Vigiles vulnerability management and patch notification service automates vulnerability detection and filtering so your team can spend less time manually sifting through thousands of open source software vulnerabilities and focus instead on quickly fixing problems.
Task 2: Vulnerability management, including triage and mitigation
Once a vulnerability is known to affect a particular component of your product, the next step is to triage the threat, prioritize tasks and work to mitigate the vulnerabilities based on your priorities.
But even the triage process itself can seem overwhelming.
Of the dozens or hundreds of vulnerabilities that may affect your product lines this month, which ones represent the biggest threats of an actual security breach?
Which vulnerabilities are exposed to an attack vector that is relevant to your product configuration and deployment, such as using network connectivity?
Which are common across multiple of your products or projects and so should be addressed as low-hanging fruit for mitigation?
Answering such vulnerability assessment, triage and prioritization questions becomes even more challenging when the bulk of the analysis and conclusions take place in offline tools, like spreadsheets or email threads.
The key to efficient and comprehensive responses to threats is to establish workspaces that can be used consistently by team members conducting the triage and mitigation planning.
Our Vigiles vulnerability report dashboard includes flexible and intuitive collaboration, communication and mitigation planning tools that aggregate your team’s work to prioritize and address open source vulnerabilities.
Task 3: Patch monitoring & management
Ideally the fix for a given vulnerability is available via a patch from the maker of a software component.
But tracking down each component and determining which CVEs a patch will address in even a modestly complex project can involve a lot of time-consuming detective work.
That’s why our Vigiles patch management and “Suggested Fix” interface will notify you of the availability of a patch to fix a given vulnerability as soon as one can be identified. The “Suggested Fix” notification is tied to each vulnerability so there is no need for your team members to hunt through patch release notes for each component.
Vigiles: One-stop shop for open source software security
Our Vigiles vulnerability management and patch notification service is the industry’s most advanced offering for embedded Linux security and for mitigating security threats to your products’ open source components.
Vigiles combines Software Composition Analysis (SCA) techniques with automated vulnerability monitoring features and powerful collaboration and mitigation features.
The service streamlines embedded system and IoT device security management by:
- Continuously and automatically scanning thousands of vulnerabilities and identifying those that affect your specific products via real-time on-demand vulnerability reports and a vulnerability dashboard.
- Allowing you to securely load a product manifest to identify the open source software components in your products for security tracking, across all versions and branches.
- Providing collaboration, communications and mitigation planning tools that allow your teams to triage, prioritize and work together on open source security vulnerability mitigation.
- Automatically suggesting fixes for vulnerabilities specific components to accelerate mitigation.