Lifecycle Security for Legacy Linux Platforms

Wind River Studio Linux Services Helps Network Equipment Provider Find and Fix CVEs on Its Yocto Project Linux Platform, Slashing Technical Debt and Costs

 

KEEPING THE FOCUS ON INNOVATION

It’s a common challenge for network equipment companies: The priority is creating breakthrough innovations, not supporting and maintaining legacy software on deployed equipment. But the unfortunate consequence, all too often, is a buildup of technical debt, higher security risks, and unstable software platforms.

In the case of one long-term Wind River® customer, a network equipment and solutions provider known globally for its advances in automated, cloud-accessible networks, the laser focus on innovation meant routine maintenance of its Yocto Project Linux platform took a back seat. With service level agreements in place with the end customer, the development team realized late in the game that it couldn’t deploy new software until all critical security risks in the OS were found and fixed.

The solution: Wind River Studio Linux Services portfolio, which includes the lifecycle security service. Using the carefully curated CVE scanner, Wind River experts identified more than 1,500 CVEs on the customer’s legacy Linux platform, of which more than 80 were critical.

The Wind River team analyzed the true impact of the CVEs and collaborated with the company’s engineers to prioritize the vulnerabilities needing immediate attention. In addition, Wind River is providing ongoing security management and implementing quality checks and testing on the customer’s hardware, with nightly builds to ensure ongoing, high-quality fixes for its OS platform and BSPs. The Studio Linux Services team also provided online release dashboards and reports to track fixes and progress, with release notes and artifacts to capture the CVEs and defects fixed in a release.

The net result: The customer no longer needs to worry about its base Linux platform getting in the way of deploying new services. With reliable and timely security fixes and ongoing, comprehensive testing performed by Wind River experts, the company can focus on its strength: creating new innovations in middleware, applications, and devices. And it can accelerate time-to-market for new offerings that excite customers and drive higher revenue.

The Wind River Studio security scanner provides an easy-to-navigate dashboard to      quickly identify critical security vulnerabilities

Along the way, the company is saving a huge amount of time and money. According to the Linux Foundation, the average “request to fix” time for Linux CVEs is 100 days. With Wind River, finding and fixing the CVEs was much faster and more cost-efficient than doing it internally. Moreover, the Wind River fixes are already validated on multiple platforms, translating to faster deployments, which helps avoid missed SLAs and penalties.

Simply put, Studio Linux Services are a faster, smarter way to save resources and keep the focus on innovation, not CVEs.

Try our security scanning service for free at: www.windriver.com/services/linux.

Highlights

Global network equipment and solutions provider leverages Studio Linux Services to identify, prioritize, and remediate critical vulnerability exposures (CVEs) on its legacy Yocto Project Linux platform and implement ongoing security testing and updates to meet SLAs for end customers (mobile service providers, device manufacturers, etc.).

Challenges

  • Business priority is innova tion, resulting in accumula tion of technical debt
  • Difficult to assign valuable engineers to find and fix CVEs on an ongoing basis
  • No lifecycle strategy for maintaining legacy Linux platform translates to difficulty meeting SLAs of end customers

Studio Linux Services Solution

  • Lifecycle Security Service
  • CVE identification, prioritiza tion, and mitigation using the Wind River CVE scanner tool
  • Quality checks and testing on the customer’s hardware
  • Online release dashboards and reports to track fixes and progress

Outcomes

  • Reduction in the cost of finding and fixing CVEs compared to using internal resources and methodologies
  • Ability to meet end-customer SLAs with confidence
  • Avoidance of ongoing accu mulation of technical debt
  • Continued focus on innovation and time-to market rather than software maintenance

Return to Resource Center