The world is increasingly interconnected and, as a result of this, the exposure to security vulnerabilities has dramatically increased as well. The intricacies of maintaining today’s Linux-based platforms make it very challenging for developers to cover every potential entry point. In 2019 there was an average of more than 45 Common Vulnerabilities and Exposures (CVEs) logged per day.
How does a development organization keep up with that? In order to stay on top of this, developers must increasingly spend more time and effort integrating CVE patches into their solutions, at the cost of spending time developing their applications.
AUTHORITATIVE CVE SOURCE
Among other efforts, The MITRE Corporation  maintains the CVE system and is the authoritative source of CVE content, which is located on the CVE website . MITRE functions as the editor and primary CVE Numbering Authority (CNA). CVE is well known across the industry for cyber threat sharing, vulnerability priorities and exposure names.
Security attacks come in many forms and use various entry points. Each attack type comes in several flavors, as there is usually more than one way that they can be configured or camouflaged based on the experience, resources and determination of the hacker.
While some threats are more prevalent than others, a developer needs to protect against all vulnerabilities. Figure 1 shows the increase in CVEs over the last 6 years, and how many of those CVEs actually impact any given distribution.
To reduce threats on Linux-based systems, it helps to have a management process and four-step procedure to: monitor, assess, notify and remediate CVE threats. Now let’s examine the process in more detail:
1. Active Monitoring: Monitoring is essential and required due diligence for staying ahead of threats in this ever-changing world. Obviously, this alone doesn’t solve any problems, but does provide critical insight of potential vulnerabilities and is a differentiator with a trusted-vendor.
Neglect remains a big risk and some Linux providers are vulnerable from the very beginning with inferior due diligence. A solid security team’s approach would include active monitoring, rapid assessment and prioritization, proactive customer notification and timely remediation to achieve a strengthened security posture.
It is important to constantly monitor the CVE database for potential issues. In addition, it is advisable to monitor specific security notifications from US government agencies and organizations like NIST, U.S.-CERT, as well as public and private security mailing lists, for alerts from each of these organizations whenever a new security threat arises.
2. Rapid Assessment: Awareness is only the first step. As soon as a potential threat is uncovered, the level of danger associated with the threat, as well as which parts of the Linux version are exposed or vulnerable, must be determined. The vulnerability is categorized and prioritized based on impact and ranked in order of importance based on the CVE priority level and the severity of impact to a business, system performance or exposure of data.
As noted in the next steps, mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations—for example, removal of affected protocols or functionality in their entirety.
3. Proactive Customer Notification: Once an assessment is complete, the system reports back to any affected subsystems or users. The report provides sufficient detail about the vulnerability, as well as a plan to thwart the threat. The harvested information also synchronizes with the remediation process.
The notification process is more vital than ever, and may involve employing outside tools and people. This is a determination that would be made based on the assessment of the vulnerability. However, the critical element of this step is the timely handling of notifications with customers to keep damage or data loss to a minimum.
4. Timely Remediation: The remediation process occurs, triage style. Teams should gather all the information relevant to the problem so that it can be analyzed. Based on the severity, threats are either dealt with immediately or handled in a timely “bug fix” manner, which would be deployed in a later update.
Companies can clearly benefit from using a commercially supported Linux. Commercially supported Linux offers low-costs, long term support and maintenance along with comprehensive development lifecycle services. A commercial vendor can supply the training, services, maintenance and support needed. This, in turn, increases productivity and reduces the overhead associated with maintaining a unique Linux distribution.
Regular maintenance, including the four-step CVE process, can radically reduce the hassles, lower the costs and protect customers from the risks of security vulnerabilities across their entire lifecycle.
While the above management process and steps discussed here won’t ensure that all threats are avoided, they do help mitigate customer risk and reduce a system’s exposure. Developers may want to apply a critical lens when deciding to build and support their own Linux distribution or when choosing a commercial Linux OS provider. Supporting security vulnerability needs to be considered and compared to how they follow the steps outlined here.
References: The MITRE Corporation https://www.mitre.org  CVE website https://cve.mitre.org  NIST, U.S.-CERT https://www.nist.gov
Wind River | www.windriver.com
PUBLISHED IN CIRCUIT CELLAR MAGAZINE • MAY 2020 #358 – Get a PDF of the issueSponsor this Article
Glenn Seiler is Vice President of Linux Solutions for Wind River. In this role Glenn is responsible for defining and taking to market Linux and Open Source solutions for customers in embedded markets including Telecom, Industrial and Aerospace and Defense.