Improved IT security for Linux in existing products
Superfluous or incorrectly configured software and services in networked industrial products are an open door for cyber attacks. In order to make sure that the investments made are worthwhile over a long period of time, avoid operational stoppages and image loss, companies increasingly insist on special supplier declarations or supporting documents for cyber security, including for existing products.
The emlix security review is an easy and efficient starting point for a short-term evaluation and improvement of the IT security of systems with open source software that are already on the market. Development, product management and marketing can use it to make well-founded decisions about product maintenance. Information regarding ,,cyber security”, ,,IT security” or ,,industrial security” can be provided with a solid background.
Enhanced level of security with audit
The technical audit includes a technical analysis of the product and its application environment and common network tests. It has been specifically adapted for the use of Linux and open source software in the industrial context.
In addition to an analysis of the current status as well as product-specific risk factors, recommendations for actions and their prioritization for short-term measures are part of the scope of services. Subsequently, in many cases the IT security for Linux in production systems can be improved significantly in an easy manner
The emlix security review for Linux- and open source-based products is intended to determine a product's status quo regarding security and includes, among other things, the following services:
- Common definition of the focus of the analysis
- Analysis of tasks and functions of the system
- Evaluation of operational site and surrounding situation
- Evaluation of the integration of the product in the operator's IT systems
- Definition of specific risks and attack vectors
- Analysis of the configuration and services of the system
- Analysis of remote update functions, insofar as they are available
- Analysis and tests of hardware interfaces on the device
- Carrying out network vulnerability tests in order to identify possible vulnerabilities (vulnerability scans, penetration testing and security scan) at our testing station
- Checking software components for known security vulnerabilities (common vulnerabilities and exposures, CVE) as part of a CVE analysis and evaluation of their relevance
- Analysis of the used development environment and software build infrastructure, when available
- Classification and evaluation of the results of various tests according to different criteria and risk classes
- Deduction and development of concrete recommendations for action in order to increase the level of security
- Aggregating and presenting the analysis findings in a report
- Explanation and classification of results and recommendations in a personal meeting
- Optional: code review of critical parts of a program as well as an examination of security-relevant features of the application
- Optional: evaluation of the build process of the software system for short-term updates and improvement of the configuration
- Optional: development of protective goals for the product
The technical audit is based on industrial best practices for design, development, testing, operation and maintenance of embedded Linux board support packages (BSP). It is being carried out with a manual inspection and common analysis tools.
The results of the review and concrete recommendations for action are being summarized in a detailed written report. They are comprehensible and provide a valid basis for decision-makers.
With our security review, you gain:
- An increased confidence from existing and new clients (image boost) with valid information on cyber security
- Quick access to practical knowledge and well-founded evaluations of our Linux / open source experts
- A pragmatical and efficient initial evaluation of cyber risks for existing products
- Comprehensible and concrete suggestions for a short-term increase of the IT security of the product
- Valid information for supplier declarations and supporting documents on cyber security as a competitive advantage
- A security review of the product can be easily integrated in the development and maintenance process
- Technical information for developers for hardening the system (product quality)
- Prioritized suggestions for developers for planning updates or configuration changes of the existing product
- Product-specific requirements and criteria for IT security for the development of new products
The security review can be used as a starting point for the development of a generic, product-specific security solution. It can be combined with emlix e2factory build management, our life cycle management and emlix security monitoring as well as emlix update and roll-out concepts.
In a phone call, we would be happy to talk to you about the extent and the depth of the analysis of our security review. On that basis, we would be pleased to provide you with an individual quotation.
All the results of our security review are summarized in an easily comprehensible report. Included are numerous recommendations to increase the security level of the product in an easy and efficient way.
The embedded Linux BSP being validated should be based on a common distribution (e.g. Yocto, Buildroot, PTXdist) with all the information that is needed for the build process, or on a build system such as BitBake or e2factory.
Phone +49 (0) 551 / 306 64 - 0
solutions [at] emlix.com
The emlix security monitoring supports you in the operation and maintenance phase of embedded Linux-based industrial products (industrial control system, ICS) for maintaining a defined security status. Our team continuously monitors information sources and evaluates possible risks against the background of the product-specific use case of your product. The emlix security monitoring provides recommendations for security patches and updates ad hoc or on a monthly basis.