Wind River Studio Linux Services: 
Lifecycle Security

Wind River offers ongoing CVE monitoring, mitigation, and management of your Linux platform throughout the software development and deployment lifecycle.

 

Securing your embedded Linux platform is a full lifecycle responsibility. Ongoing monitoring and mitigation of known vulnerabilities impacting your project requires engineering resource investment, from development to deployment and throughout operational lifetime.

Scanning code for CVEs and license compliance issues can help identify risks before they become a liability. Critical and high-risk vulnerabilities impacting your code must be remediated. And, because new vulnerabilities are identified every day, ongoing CVE monitoring, prioritization, and mitigation is required. Wind River® delivers ongoing monitoring, mitigation, and management of Common Vulnerabilities and Exposures (CVEs) for your embedded Linux platform throughout the software development and deployment lifecycle.

What We Deliver

CONTINUOUS SECURITY MONITORING

We provide continuous and proactive monitoring of the health of your embedded Linux platform with timely alerts to new CVEs as they emerge. Leverage our curated knowledge base of CVEs built from public sources such as NIST, the Yocto Project, and the MITRE database of CVEs.

  • Full scan of your platform, comparison to our extensive database to accurately identify potential vulnerabilities, and deep analysis by our engineers of the true impact on your platform
  • On-demand scans of your Linux platform comprising your kernel, BSP, and shared and user libraries
  • Detailed security report identifying all the CVEs that are open against your Linux platform

LICENSE USE IDENTIFICATION

Scan your Linux platform to provide a detailed report of all the licenses used in your platform as well as transitive dependencies.

  • On-demand scans of your Linux platform comprising your kernel, BSP, and shared and user libraries
  • Ability to scan for all licenses used in your platform and categorize based on their permissiveness, copyleft, compatibility, and transitive dependencies
  • Detailed license report identifying all the licenses used in your embedded Linux Platform
  • Implementation services available to assist with license compliance remediation

COLLABORATIVE TRIAGE AND ASSESSMENT

Work with our team to quickly identify and prioritize vulnerabilities based on a common vulnerability threshold (CVSS), severity of impact, and difficulty of attack and avoid ability. We work with you to build release plans to address critical and prioritized CVEs.

  • Detailed security report identifying CVEs open against your platform
  • Fixes for newly identified critical and high CVEs at a CVSSv3 threshold of 7 and above
  • Online support portal for customers to request fixes for non-critical CVEs (CVSSv3 < 7)
  • Request review by Wind River engineers, with timely response
  • Premium Support options for customers needing dedicated engineers well versed in their project

CVE MITIGATION

Our team of engineers performs a deep analysis to determine the impact of the CVE on your Linux platform. We work with you to prioritize remediation options and timing. We backport, validate, and verify community-based patches before we apply them to your code. If a community solution is unavailable, we work with your engineering team to architect a technical solution.

  • Fixes for critical and high CVEs at CVSSv3 threshold 7 and above
  • Collaboration and prioritization of medium and low CVEs
  • Emergency patches to fix critical CVEs
  • Quarterly patches to fix other prioritized CVEs
  • Remediation packages available to help catch up on CVE technical debt

FOCUS ON QUALITY

We ensure you have a high-quality and stable Linux platform, and all remediation efforts enter the Wind River continuous integration (CI) pipeline for a nightly/weekly/monthly build and test process throughout development. After remediation testing and release, Wind River will generate a new software bill of materials and documentation that can be used for project verification.

  • All modifications to your platform through patches or custom engineering validated and verified before redeployment
  • Nightly builds and test process leveraging the Wind River CI pipeline to ensure high quality
  • Emergency patches to fix your critical CVEs and quarterly patches to fix other CVEs

SOFTWARE BILL OF MATERIALS & RELEASE DOCUMENTATION

A new software bill of materials is generated after every code modification.

  • Online release dashboards and reports to track fixes and progress
  • Release notes to capture the CVEs fixed in a release

COMMUNITY UPSTREAM

Wind River can be your partner and voice for the Yocto Project.
We can work on your behalf to upstream and contribute any fixes or engineered resolutions back to the community.

GLOBAL SUPPORT

Wind River has a global team of experts to support your Linux platform. Additional support options are available.
» See Awards and Industry Recognition for Wind River

  • Online support portal to submit tickets during the remediation period
  • Review by Wind River engineers to ensure timely response
  • Premium Support options for customers needing dedicated engineers well versed in their project

GLOBAL SUPPORT CENTERS

  • North America
  • Ottowa, Canada
  • Dublin, OH
  • Alameda, CA
  • Detroit, MI
  • Costa Rica
  • South America
  • Cordoba, Argentina
  • (C/E Services Only)
  • Europe
  • Stockholm, Sweden
  • Paris, France
  • Munich, Germany
  • Galati, Romania
  • China
  • Chengdu, China
  • Beijing, China
  • Korea
  • Seoul, Korea
  • Japan
  • Tokyo, Japan

OPEN SOURCE LEADERSHIP AND ENGINEERING EXPERTISE

Wind River is a founding member of the Linux Foundation’s Yocto Project. We are one of the top contributors and maintainers of several key components.
» Learn about the Yocto Project

  • Leading commercial contributor with commits to the Yocto Project for the last five years
  • Recent contribution of a security response tool
  • Proven project governance and advocacy within the community

FEATURED Blog

From Prototype to Post-Deployment: Linux Decision Points

In the embedded industry, the lifecycle of a Linux product can last 5, 10, or even 15 years or more, so the decisions you make now and along the way will impact speed, quality, and resources for years to come. They can also create technical debt and directly impact future scalability, profitability, and the overall success of your project.

≫ Read More