On-demand vulnerability reports with highly accurate data and unique CVE mitigation tools streamline developer-driven product security
Pittsburgh, Pa. – April 20, 2020 – Timesys Corporation, industry pioneer and leading provider of embedded, open source software, engineering services, and security solutions, today announced expanded functionality of Timesys Vigiles, bringing new Software Composition Analysis (SCA) features and vulnerability triage and mitigation tools for embedded system products.
Timesys Vigiles Security Monitoring & Management Service enables developers of embedded system products using Linux and open source components to bring more secure products to market in a range of industries, including medical devices, industrial control systems, transportation systems, Internet of Things and Industrial Internet of Things.
More than 300 new vulnerabilities affecting software systems are disclosed every week by services such as the Common Vulnerabilities & Exposures (CVE) database maintained by the US National Institute of Standards and Technology (NIST).
Vigiles automatically filters the mass of CVEs, identifying those that affect a specific product’s open source components. Vigiles simplifies CVE response and remediation with developer team collaboration tools that streamline analyzing, tracking and mitigating CVEs to ensure products are more secure when built and stay secure after release.
The latest enhancements of Vigiles include broader integration with embedded system software development tools, enabling end-to-end workflow support for developer-driven vulnerability tracking, investigation and fixing.
“Vigiles sets a new standard in making embedded system products secure with a developer-driven security process,” said Atul Bansal, CEO of Timesys. “Previously, development teams would easily be overwhelmed by the tasks of monitoring and analyzing huge lists of vulnerabilities. Now Vigiles streamlines and accelerates CVE detection and mitigation, enabling your team to focus on only the vulnerabilities that matter.”
Vigiles’ new SCA features will automatically generate a Software Bill of Materials (SBOM) for Yocto, Buildroot and Timesys Factory projects. Now developers can understand which open source third-party components are in their products and which vulnerabilities pertain to them. Features include detailed CVE reports, trend reports, summaries and a searchable vulnerability database.
Vigiles delivers superior, highly accurate vulnerability data, augmenting the feed from the National Vulnerability Database (NVD) with multiple additional vulnerability feeds. The Timesys security team curates vulnerability data, which reduces false positives and produces a 40 percent improvement in data accuracy compared to the NVD. Users of Vigiles also can receive expedited notification of newly reported vulnerabilities as much as four weeks earlier than from the NVD.
CVE investigation and mitigation are accelerated with Vigiles’ CVE filtering, triage and team collaboration tools. Vigiles filters CVEs based on a project’s Linux kernel configuration and U-Boot configuration, which eliminates CVEs based on features not being used. This reduces CVE investigation and triage tasks by 75 percent on average.
CVE remediation is expedited because Vigiles automatically identifies “suggested fixes” such as patches or updates of components that will mitigate vulnerabilities.
The service streamlines and simplifies reporting and documentation of vulnerabilities for easier compliance with regulatory and customer requirements.
Overall, Vigiles creates a well-defined, efficient, repeatable and scalable process workflow for developer-driven product security. Vigiles is shown to reduce engineering time spent on vulnerability monitoring and patching by 90 percent.
“The enhanced features of Vigiles are important new tools for enabling embedded developers to build more secure products that are easier to keep secure over time,” said Robert Oshana, Vice President software R&D at NXP. “By knowing specific vulnerabilities for specific software components, embedded designers will be able to focus on the security issues that really matter, ultimately bringing more secure products to market more quickly.”
Timesys is a pioneer and industry leader in open source software security, development tools and engineering services spanning the embedded software market. With Timesys’ expertise, OEMs, ODMs, and design houses cut development costs and accelerate time-to-market for BSPs and devices, HMI / UX, security, and IoT systems and applications using embedded Linux, Android, FreeRTOS and other open source solutions.
Timesys offers a complete end-to-end device security solution enabling developers to implement security early in design and to maintain strong security throughout product lifecycles with Vigiles, an on-demand vulnerability monitoring and management service. Representing more than 20 years of embedded development experience, Timesys’ broad portfolio, embedded expertise, and extensive partner ecosystem are used by 1000+ projects to develop leading products and applications including medical, industrial, networking, aerospace, and consumer solutions.