Up-to-date open source software for cost-effective IT security
Obsolete and therefore unsafe software components in industrial products or critical infrastructure are one of the major risks for cyber attacks. That is why legislators as well as compliance departments increasingly expect IT security management processes ensuring that the software is up to date.
Component monitoring for open source software in industrial devices is intended to check continuously whether the Linux kernel as well as other open source components are up to date. This is a prerequisite for maintaining a defined security status. At the same time, it offers an economic software life cycle management for embedded Linux systems.
Extraction of relevant CVEs
The objective is to identify product-related security findings, new software versions and improvements of relevant components immediately. Thereafter, it is being evaluated if and when an update can or should be applied in the production system (security patch management).
The monitoring requires detailed system knowledge in order to evaluate the relevance of security findings (common vulnerabilities and exposures, CVE) for a specific system. In this way, just a few which require special consideration are being filtered out of the large number of CVEs.
Therefore, the starting point of the monitoring is an initial analysis of the system:
- Which components and versions are included in the system?
- Which parts and functions of a specific software component are really being used or are implemented in a custom Linux system?
- What is the context in which the device and thus the Linux system are being used? What is the required functionality?
emlix security monitoring supports you in the operation and maintenance phase of embedded Linux-based industrial products with the following solutions:
- Initial identification and analysis of the software components that are included in the product with the version number and, if applicable, the original source
- Evaluation of the usage and operating context as well as the risk structure of the product together with the customer
- Regular monitoring of information sources on vulnerabilities and risks (CVE) via our database
- Obtaining and continuously maintaining information about new and known vulnerabilities of open source components contained in the product
- Analysis and evaluation of the availability and usefulness of updates for open source components of the product
- Context-specific evaluation of potential security topics of the product
- Regular creation of a product-specific security report with a clear summary and presentation of all relevant information
- Regular evaluation of the risks, recommendations and possible measures in a conference call with the customer's contact person on a monthly basis
- Providing valid information for supplier or security compliance declarations (in particular security monitoring, vulnerability handling and patch management)
- Planning security updates in the context of the release plan (or ad hoc) in consultation with the customer
- Optional: compilation and preparation of security patches (patch management)
With our security monitoring, you will achieve:
- Improved IT security through regular risk assessment
- Product- and application-specific risk analysis by experienced engineers
- Comprehensible information and personal explanations
- Valid information for suppliers and audits
- Flexibility for different monitoring and release cycles
- Enhanced security compliance of products
- Planning releases and updates based on valid information
- Easy and economical implementation
- Easier planning of patch roll-outs and updates which may be required
The security monitoring can be combined with the emlix security review and emlix e2factory build management as well as emlix update and roll-out concepts.
We would be happy to make you an offer for regular security monitoring based on a list of the software components in your embedded Linux system or an initial emlix security review. Optionally, we would be glad to offer you the preparation of security patches for your product as well as a reliable update concept.
Usually on a monthly or quarterly basis, all the results of our security monitoring are summarized in a written report.
The embedded Linux system being validated should be based on a common distribution (e.g. Yocto, Buildroot, PTXdist) with all the information that is needed for the build process, or on a build system such as BitBake or e2factory.
Phone +49 (0) 551 / 306 64 - 0
solutions [at] emlix.com
Our security review provides you with an evaluation of the system and network security of an open source-based industrial product (industrial control system, ICS). This includes corresponding network tests and an analysis of the used Linux software platform. In addition to an analysis of the current security situation, precise recommendations are part of the scope of services.