Wind River Studio Linux Services: 
Security and Compliance Analysis 
and Remediation

Wind River offers security and compliance scanning with analysis and remediation services to help you build higher-quality code and accelerate your time to deployment.

 

Automated security and compliance scanning, tuned for complex embedded software systems, helps developers quickly identify and prioritize high-risk vulnerabilities and license issues. Build higher-quality code and accelerate your time to application deployment.

  • A professional grade security and compliance scanner provides developers a thorough assessment of the potential risks for common vulnerabilities and compliance issues.
  • A CVE and compliance scanning assessment can flag critical points of concern that require a deeper analysis to determine impact and effort to mitigate.
  • Our service scans your Yocto Project Linux platform manifest and open source packages to identify vulnerabilities and license compliance issues. We use a curated collection of data sources including Yocto Project, NIST, and other public sources, as well as the Wind River Linux database of Common Vulnerabilities and Exposures (CVEs).
  • We analyze specific platform layers including hardware, kernel, user space, libraries, and other system components. The high-risk issues are presented in a graphical and easy-to-read format, allowing a development team to get a snapshot of the health of their code.

What We Deliver

SECURITY SCAN AND CVE IDENTIFICATION

Scan the health of your Linux platform for all existing CVEs as they emerge. We run our professional-grade scanner and compare it to our extensive database to accurately identify potential vulnerabilities. Our engineers then provide a deep analysis of the true impact on your platform.

  • Security scan of your Linux platform comprising your kernel, BSP, and shared and user libraries
  • Access to our curated knowledge base of vulnerabilities and compliance issues built from public sources such as NIST, the Yocto Project, and the MITRE database of CVEs
  • Detailed security report identifying all the CVEs that are open against your Linux platform

LICENSE USE IDENTIFICATION

Scan your Linux platform to provide a detailed report of all the licenses used in your platform as well as transitive dependencies.

  • License scan of your Linux platform comprising your kernel, BSP, and shared and user libraries
  • Ability to scan for all licenses used in your platform and categorize based on their permissiveness, copyleft, compatibility, and transitive dependencies
  • Detailed license report identifying all the licenses used in your Linux Platform

CVE MITIGATION PLAN

Work with our global team of engineers to quickly identify and prioritize vulnerabilities based on a common vulnerability threshold (CVSS), severity of impact, and difficulty of attack and avoid ability. We work with you to build a mitigation plan to address prioritized CVEs.

  • Detailed security report identifying CVEs open against your platform
  • Prioritization of existing CVEs to fix, based on their severity and impact
  • Assessment of the time and cost to make your Linux platform secure

LICENSE COMPLIANCE MITIGATION PLAN

Our team of engineers performs a deep analysis to determine the impact of the restricted licenses used in your solution. We work with you to prioritize remediation options and timing.

  • Detailed license use report identifying the licenses used in your Linux platform
  • Prioritization of licenses not permitted for use in your organization
  • Assessment of the time and cost to make your Linux platform compliant with your license policy

CVE MITIGATION

Our team of engineers performs a deep analysis to determine the impact of the CVE on your Linux platform. We work with you to prioritize remediation options and timing. We backport, validate, and verify community-based patches before we apply them to your code. If a community solution is unavailable, we work with your engineering team to architect a technical solution.

  • Prioritization of existing CVEs
  • Backporting, validation, and verification of existing community patches for CVEs, applying those to your Linux platform
  • Development of new solutions, if community patches don’t exist for CVEs

LICENSE USE MITIGATION

Our team of engineers performs a deep analysis to determine the impact of the restricted licenses used in your solution. We work with you to prioritize remediation options and timing.

  • Prioritization of restricted licenses, with mitigation plan
  • Alternate packages or development of new solutions to avoid use of restricted use licenses

FOCUS ON QUALITY

We ensure you have a high-quality and stable Linux platform, and all remediation efforts enter the Wind River continuous integration (CI) pipeline for a nightly/weekly/monthly build and test process throughout development. After remediation testing and release, Wind River will generate a new software bill of materials and documentation that can be used for project verification.

  • All modifications to your platform through patches or custom engineering validated and verified before redeployment
  • Nightly builds and test process leveraging the Wind River CI pipeline to ensure high quality

SOFTWARE BILL OF MATERIALS AND RELEASE DOCUMENTATION

A new software bill of materials is generated after every code modification.

  • Release with all patches to fix CVE and license issues as per the mitigation plan
  • Online release dashboards and reports to track fixes and progress
  • Release notes to capture the CVEs fixed

COMMUNITY UPSTREAM

Wind River can be your partner and voice for the Yocto Project.
We can work on your behalf to upstream and contribute any fixes or engineered resolutions back to the community.

GLOBAL SUPPORT

Wind River has a global team of experts to support your Linux platform. Additional support options are available.
» See Awards and Industry Recognition for Wind River

  • Online support portal to submit tickets during the remediation period
  • Review by Wind River engineers to ensure timely response
  • Premium Support options for customers needing dedicated engineers well versed in their project

GLOBAL SUPPORT CENTERS

  • North America
  • Ottawa, Canada
  • Dublin, OH
  • Alameda, CA
  • Detroit, MI
  • Costa Rica
  • South America
  • Cordoba, Argentina
  • (C/E Services Only)
  • Europe
  • Stockholm, Sweden
  • Paris, France
  • Munich, Germany
  • Galati, Romania
  • China
  • Chengdu, China
  • Beijing, China
  • Korea
  • Seoul, Korea
  • Japan
  • Tokyo, Japan

OPEN SOURCE LEADERSHIP AND ENGINEERING EXPERTISE

Wind River is a founding member of the Linux Foundation’s Yocto Project. We are one of the top contributors and maintainers of several key components.
» Learn about the Yocto Project

  • Leading commercial contributor with commits to the Yocto Project for the last five years
  • Recent contribution of a security response tool
  • Proven project governance and advocacy within the community

FEATURED Blog

From Prototype to Post-Deployment: Linux Decision Points

In the embedded industry, the lifecycle of a Linux product can last 5, 10, or even 15 years or more, so the decisions you make now and along the way will impact speed, quality, and resources for years to come. They can also create technical debt and directly impact future scalability, profitability, and the overall success of your project.

≫ Read More