Lifecycle Security for Legacy Linux Platforms
A leading network equipment provider needed a fast, inexpensive way to find, prioritize, and remediate CVEs on its legacy Yocto Project Linux platform.
The customer wanted to stop accumulating technical debt and security risks.
The goals were to keep the focus on innovation rather than software maintenance, stop accumulating technical debt and security risks, and accelerate the deployment of new software that met end customers' SLAs.
Wind River Solution
Using the professional-grade CVE scanning tool, an integral part of the Wind River® Studio Linux Services portfolio, Wind River experts identified more than 1,500 CVEs on the customer’s legacy Linux platform, of which more than 80 were critical.
- In collaboration with the customer’s engineers, the Wind River team prioritized the vulnerabilities and fixed the most critical.
- Wind River is also providing ongoing security management, with quality checks and testing on the customer’s hardware.
The customer no longer needs to worry about its base Linux platform getting in the way of innovation.
The customer can focus on innovation that excites customers and drives higher value.
With reliable and timely security fixes and ongoing, comprehensive testing performed by Wind River experts, the company can focus on two objectives: creating middleware, applications, and devices that excite customers and drive higher revenue while also meeting the commitments of the end customers’ service-level agreements.
Accelerating Automotive Innovation
One of our automotive customers needed to develop new features that could be quickly integrated into upcoming models in a more agile manner. Its developers wanted to leverage the innovations in open source software while maintaining a level of quality that matched their brand.
The management of multiple Linux platforms across product lines was not a value add.
But the customer quickly realized that the cost to build up an in-house team to manage its Linux distribution would be prohibitive and an impediment to continuous innovation, especially given the 10–15 year lifecycles of automobiles. The management of the multiple Linux platforms across product lines were not a value add to the business, and our client needed to prioritize investment in developing new and differentiating features related to safety and security.
Wind River Solution
Wind River architected and implemented a Yocto Project–based Linux solution that provided the maximum flexibility in adding critical features such as real-time performance, enhanced security, and over-the-air update capabilities. Wind River also provided:
- Lifecycle security monitoring and mitigation for the escalating volume of high-risk common vulnerabilities and exposures (CVEs).
- Ongoing maintenance updates whenever a new version of the Yocto Project was released, which gave our customer the flexibility to implement the updates during regular scheduled maintenance or on demand.
- Long-term premium support with a service-level agreement (24-hour response time, for example) on all versions of the Yocto Project platform for 10 years, with an option to extend even longer.
Our client was able to completely offload the management of its Linux distributions to Wind River Studio Linux Services within 10 months, and the result is a custom-configured system with regular updates and security monitoring services.
The company is realizing an increase in total return on investment for new applications of more than 30%.
The customer has transitioned its entire Linux team of 15 to focus on building and integrating new features and capabilities regularly. The company has accelerated time-to-new-feature by at least six months and is realizing an increase in total return on investment for new applications of more than 30%.
Reducing Unacceptable Residual Risk
A medical device customer needed a product refresh of its Class III blood analysis machine. The customer was concerned about a recent mandate from the U.S. Food and Drug Administration (FDA) requiring medical device manufacturers to report identified vulnerabilities to the FDA under CFR 806.
The customer needed to demonstrate that it could meet the required timeline to fix vulnerabilities.
To address these requirements, it needed to demonstrate that it could meet the required timeline to fix vulnerabilities, validate changes, and distribute deployable fixes to its end customers and user community within 60 days. Current updates to fielded products required a technician to go onsite and also meant operational downtime for the end user.
Wind River Solution
The Wind River® team started with a Security Assessment, which identified that our client was not keeping its device platform up-to-date with fixes to high-risk CVEs.
- Wind River provided a CVE management service that delivers ongoing vulnerability monitoring and mitigation.
- To help meet the 60-day timeline requirement, Wind River identified an over-the-air (OTA) open source solution, Aktualizr, that would check for new releases periodically and automatically update the device.
- After close collaboration with the customer’s development team, Wind River identified several areas where incremental engineering work and customizations would be required.
Updating devices via an OTA solution allowed the customer to more efficiently meet the requirement to implement vulnerability fixes safely and securely in 60 days, saving time and costs.
The customer eliminated the time, effort, and overhead required to hire incremental developers.
Limited service technician resources now focus on critical issues rather than routine updates. And by relying on Wind River technical experts to architect and implement the OTA solution, the customer eliminated the time, effort, and overhead required to hire incremental developers and leveraged Wind River prior experience in successfully building other OTA solutions.
The customer now has an OTA solution to update fielded devices that can scale to meet the needs of other projects and future devices.
Removing Legacy Costs
Our market-leading customer provides software for autonomous vehicles used in industrial operations applications. Its proprietary software platform had moved to end-of-life and the company could no longer add new capabilities, causing a disruption that impacted its end customers and starting to chip away at its leadership position in the market.
The customer's small in-house team was managing multiple OS platforms, impacting time-to-market and competitiveness.
Over the years its portfolio, along with the supporting OS platform, had sprung many branches with different hardware and different OS versions, propagating a variety of dead-end software versions. Its small in-house team was managing multiple OS platforms, and this was impacting time-to-market and competitiveness. Our customer was eager to expand into other areas of vehicle control systems but was deterred by the internal costs of supporting the older implementations.
Wind River Solution
The client wanted to move away from building and supporting its own Linux implementation so that its teams could focus on the application layer and not the OS.
- Wind River started with a Solution Assessment that recommended moving from a proprietary platform to a Yocto Project–based solution, which would allow the company to customize its solution and quickly leverage new technologies, such as OTA updates, to better manage fleets and deploy new software packages on demand.
- We delivered an initial Yocto Project platform with a single-pane-of-glass view to deploy and orchestrate the software assets. This platform was then extended over time to the remainder of the vehicle targets.
- The final solution piece was a Lifecycle Assurance Service that provides ongoing security and other defect resolution over the full lifecycle of the product line.
Wind River was able to assess our customer’s operating system platform needs, make a recommendation, implement a technical solution, and then provide ongoing lifecycle management of the overall solution. The customer was able to put its small in-house OS team to better use working on application software to provide more value add to customers.
The customer improved its operating margins and regained competitiveness within its product line.
Within six months, the customer achieved improvements in operating margins and regained competitiveness within its product line. This noticeable success improved confidence in the development team and resulted in accelerated productivity, as measured by releases and updates deployed on schedule or even early.
Reining in Cost Overruns
Our customer in the communications industry needed to improve the profitability of its flagship broadband product line. Its time-to-market had increased and development and test cycles were taking too long. In addition, R&D costs were climbing due to the increasing time and effort required to maintain and constantly secure earlier versions of its Linux platform. Another key issue was the months of effort required to validate the dozens of various hardware boards from NXP, Intel®, Broadcom, and AMD that it used in its product line.
Our customer's time-to-market had increased and development and test cycles were taking too long.
With a fixed team and no ability to increase budget, skilled engineers were working on maintenance problems rather than innovating and adding critical features to upcoming releases. The lack of stimulating work created an employee retention problem for designers with key skills.
Wind River Solution
Wind River worked with the customer's engineering management team on a Solution Assessment to determine what was needed and how to prioritize implementation. This assessment led to three key discoveries:
- The customer was spending a significant amount of time just building the Linux platform. We transitioned the customer from the aging in-house platform to a Yocto Project–based platform.
- The customer was spending months of effort on hardware validation. One immediate benefit of the new Yocto Project platform was the ability to leverage board support packages (BSPs) from key board vendors. Wind River worked with the vendors to get early access to BSPs and was able to cut the validation time in half.
- The customer was not upstreaming vulnerability and defect fixes. Over time this resulted in spending significant effort to remove technical debt — time that could have been spent innovating new functionality. To address this, Wind River agreed to continuously monitor and manage the health of the customer's code. Wind River will identify new security vulnerabilities and defects, prioritize them, and perform immediate remediation.
Once the program was started, the customer was able to shorten time-to-market by about 50%. In addition, the company was able to reduce internal costs by transitioning three key developers from maintenance activities to more innovative tasks.
The customer shortened time-to-market by about 50%.
Because Wind River Studio Linux Services was managing the lifecycle maintenance process, the customer was able to move five support engineers into other roles, including test and integration.
In all, it was able to save or reallocate 15 positions, resulting in budget savings of $2.6 million dollars per year.