Vulnerabilities keep piling up … time to make security a product differentiator? - Timesys

Is your product the “Volvo” of embedded system products? For decades, carmaker Volvo has been known as a maker of safe vehicles.

While all makes of cars are generally much safer than in decades past, and some observers rank some other brands’ models higher in safety, there is no dispute that Volvo has made safety a cornerstone of its brand. Like other car brands have focused on qualities like luxury, reliability or the driving experience, Volvo has emphasized safety as a chief value of its products.

Perhaps soon we will see a Volvo-style strategy emerging from the makers of embedded system devices and the Internet of Things (IoT). In fact, with the volume of security vulnerabilities reaching an all-time high, there’s a prime opportunity for a device maker to become known market-wide as a “security first” product developer whose customers are more protected from cyberattack.

So who makes the “Volvo” of embedded systems products? Who will focus on security as a primary value for enterprise customers who are struggling to keep pace with the flood of vulnerabilities?

Overwhelmed by Vulnerabilities

CSO reports that a recent survey by vulnerability assessment vendor Tenable shows that vulnerabilities are piling up faster than they can be addressed by end customers.

“High-severity vulnerabilities are being identified in software faster than enterprise security teams can respond to them,” CSO reported, adding that Tenable found that the volume of reported vulnerabilities for the first half of 2018 was running about 27% higher than the year before.

Indeed, CVE Details, a data source for tracking reported vulnerabilities, shows that the count of vulnerabilities for 2018 stands at more than 15,000, eclipsing last year’s record of 14,714. That site tracks Common Vulnerabilities and Exposures (CVEs) that are indexed in the CVE list of known cybersecurity vulnerabilities.

Some industry researchers give differing analysis on the level of vulnerabilities this year and how it compares to previous years, depending on how vulnerabilities are categorized and tracked. But wherever the final number of vulnerabilities lands in relation to last year, the volume of vulnerabilities continues at a pace that places a major burden on IT managers at enterprises who are trying to keep up and ensure their information and users are safe from attacks.

Security as a Product Differentiator

Obviously no product developer wants to be known as a supplier of non-secure products.

But not every developer has invested time and resources to make security a product differentiator, something that provides a demonstrable benefit for the enterprise’s security posture when compared to alternative products. And according to some security researchers, some manufacturers are simply “ignoring” security issues and apparently leaving it to enterprise customers to figure out how to keep attackers from compromising their systems and sensitive data.

This lack of product maker focus on security is often cited as one of the reasons that IoT security seems to be a problem that just won’t go away.

At Timesys, we have worked with a wide range of embedded system product developers who definitely do care about bringing secure products to market and aim to make security important benefits of their systems. Here are some examples of best practices for bringing more secure products to market:

• Device hardening: What is your device’s attack surface? In other words, how are the device’s configuration, its connectivity, access control and similar features set? Could those settings make it a target of an attacker’s vulnerability exploit? Similarly, if an attacker succeeds in compromising your system, how much damage can they do? Can they gain access to sensitive information or leapfrog to other systems?
• Security testing: Have you conducted a vulnerability assessment, analyzing your product’s components in comparison to known CVEs? During design stages, have you inventoried the components — including open source components — with as with a composition scan so that vulnerability tracking and management can be conducted in the future?
• Secure boot: Have you designed the system to verify code authenticity before it is executed? Does the system establish and maintain a chain of trust from bootloader up to applications?
• Vulnerability monitoring & management: Once the device is released, do you continue to track CVEs and other vulnerabilities as they are announced? Can you pinpoint those that pertain to your products and subcomponents, so that needed mitigation can be developed and customers can be notified?
• Patch monitoring & management: Are you making it easy for end customers to learn about and deploy patches for your products and all sub-components? Does your process for patch notification help customers to assess the risk of security compromise in their environments and prioritize patches accordingly?

Try Timesys TRST

Our Threat Resistance Security Technology (TRST) Product Protection Solutions will assist you with designing more secure products and making it easier to maintain product security once they are on the market.

At Timesys we have captured the industry’s best practices for embedded system security, embedded Linux security, IoT security, and open source software security. Our solutions enable device developers to make security a chief benefit for end customers, to simplify the security burden on enterprise IT managers. Work with us to make security a key differentiator for your products.

Contact us today to learn more.

About Timesys

Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.

VOLVO is a trademark and brand of VOLVO TRADEMARK HOLDING AB.