Wind River Studio Linux Services: Lifecycle Security

Securing your embedded Linux platform is a full lifecycle responsibility. Ongoing monitoring and mitigation of known vulnerabilities impacting your project requires engineering resource investment, from development to deployment and throughout operational lifetime.

Scanning code for CVEs and license compliance issues can help identify risks before they become a liability. Critical and high-risk vulnerabilities impacting your code must be remediated. And, because new vulnerabilities are identified every day, ongoing CVE monitoring, prioritization, and mitigation is required Wind River® offers ongoing CVE monitoring, mitigation, and management of your Linux platform throughout the software development and deployment lifecycle.

CONTINUOUS SECURITY MONITORING

We provide continuous and proactive monitoring of the health of your embedded Linux platform with timely alerts to new CVEs as they emerge. Leverage our curated knowledge base of CVEs built from public sources such as NIST, the Yocto Project, and the MITRE database of CVEs.

• Full scan of your platform, comparison to our extensive database to accurately identify potential vulnerabilities, and deep analysis by our engineers of the true impact on your platform
• On-demand scans of your Linux platform comprising your kernel, BSP, and shared and user libraries

LICENSE USE IDENTIFICATION

Scan your Linux platform to provide a detailed report of all the licenses used in your platform as well as transitive dependencies.

• On-demand scans of your Linux platform comprising your kernel, BSP, and shared and user libraries
• Ability to scan for all licenses used in your platform and categorize based on their permissiveness, copyleft, compatibility, and transitive dependencies
• Detailed license report identifying all the licenses used in your embedded Linux Platform
• Implementation services available to assist with license compliance remediation

COLLABORATIVE TRIAGE AND ASSESSMENT

Work with our team to quickly identify and prioritize vulnerabilities based on a common vulnerability threshold (CVSS), severity of impact, and difficulty of attack and avoid ability. We work with you to build release plans to address critical and prioritized CVEs.

• Detailed security report identifying CVEs open against your platform
• Fixes for newly identified critical and high CVEs at a CVSSv3 threshold of 7 and above
• Online support portal for customers to request fixes for non-critical CVEs (CVSSv3 < 7)

CVE MITIGATION

Our team of engineers performs a deep analysis to determine the impact of each CVE on your Linux platform. We work with you to prioritize remediation options and timing. We backport, validate, and verify community-based patches before we apply them to your code. If a community solution is unavailable, we work with your engineering team to architect a technical solution.

• Fixes for critical and high CVEs at CVSSv3 threshold 7 and above
• Collaboration and prioritization of medium and low CVEs
• Emergency patches to fix critical CVEs
• Quarterly patches to fix other prioritized CVEs
• Remediation packages available to help catch up on CVE technical debt

FOCUS ON QUALITY

We ensure you have a high-quality and stable Linux platform, and all remediation efforts enter the Wind River continuous integration (CI) pipeline for a nightly/weekly/monthly build and test process throughout development. After remediation testing and release, Wind River will generate a new software bill of materials and documentation that can be used for project verification.

• All modifications to your platform through patches or custom engineering validated and verified before redeployment
• Nightly builds and test process leveraging the Wind River CI pipeline to ensure high quality
• Emergency patches to fix your critical CVEs and quarterly patches to fix other CVEs
• Upstreaming of engineered resolutions back to the Yocto Project community

GLOBAL SUPPORT

Wind River has a global team of experts to support your Linux platform. Additional support options are available.

• Online support portal to submit tickets during the remediation period
• Review by Wind River engineers to ensure timely response
• Premium Support options for customers needing dedicated engineers well versed in their project

FOR MORE INFORMATION

Contact your local account team or salesinquiry@windriver.com .