Efficient and reliable issue tracking for embedded Linux systems

Currently the need for a comprehensive cyber security concept for embedded systems and a corresponding lifecycle maintenance increases significantly. This is due to the tightening of the IT-Sicherheitsgesetz as well as regulatory requirements in almost all industries, e.g. the amendment of the German Medizingeräte-Richtlinie.
Companies are obliged to continuously monitor their - initially hardened - software systems for software security issues. This has to happen within a comprehensible, documented process.

emlix provides the following services for a standard-compliant CVE security monitoring:

• Automated CVE tracking of different sources
• Multi-stage relevance analysis by Linux and
  security experts
• Reduction to the actually relevant CVEs
• Maintenance monitoring and updates (optional)
• CVE security report as a verification document
• Quick entry based on a SBOM
• Definition of relevance criteria by scoping
• High cost-efficiency durch synergy effects
• Solid basis for planning throughout the software lifecycle

emlix has extensive experience in security engineering for Linux based embedded devices, e.g. edge-IoT devices, medical and automation technology devices as well as embedded systems in the automotive and energy industry.
The emlix CVE security monitoring as well as the supplementary emlix Maintenance Monitoring allows to meet normative requirements concerning the software maintenance throughout the whole software lifecycle. The German Medizingeräterichtlinie requirement for a comprehensive market surveillance, for example, is reliably met.
The emlix CVE security monitoring starts with the SBOM of your Linux based software system. During a short scoping workshop we will clarify the critical requirements and the use cases of your software. With this input we set-up the monitoring. From then on we provide you with a CVE security report in the agreed frequency (e.g. once or twice a month). The report includes our recommendations how to proceed with each relevant CVE. But usually we additionally agree on a monthly call to discuss the findings and their impact.
Additionally, our portfolio includes development support and update services (patch management, updates, upgrades) for an efficient embedded Linux lifecycle management.

The obligation of companies under ISO/IEC 27001 to continuously monitor their software systems for software security issues requires a high degree of responsiveness in the event of an emergency. CVEs have to be classified and available fixes or patches need to be implemented depending on the context and criticality. But often the companies will lack ressources and competencies.
Furthermore, a relevant and critical security issue might be detected, but the community so far does not offer a fix. In these cases emlix provides a continuous search for a corresponding fix or, where appropriate, we will offer development services to fix an issue ourselves.