CVE Monitoring and Vulnerability Management

SBOM generation

In case it is not provided by our customer emlix will generate a SBOM for all components and packages included in the system software (Board support package, BSP). It will be created as as a starting point for Vulnerability tracking in compliance with IEC 5230:2020.

Monitoring and Analysis

The analysis consists of two steps. 

• Monitoring: based on the SBOM emlix evaluates the National Vulnerability Database (NVD) and the Mitre Common Vulnerabilities and Exposures Database using an extensive, automated process. Additionally some further, sometimes even product specific, sources are kept under surveillance.
• Assessment and contextualization: as required by the standards each finding will be assessed by emlix experts. In a first step package versions and configurations are taken into account. Even more important in a second step the relevance of each finding will be assessed concerning possible risks arising from the operational and application context as well as the product’s risk structure. Additionally the component specific exposure to vulnerabilities will be considered.

Report and assessment

• emlix will generate a CVE Security Report with a clear presentation of all security issues, mitigations and a recommendation for further steps (pdf or CycloneDX, VEX or SPDX). It is based on the monitoring and the subsequent expert assessment. It thereby provides valid content for supplier security compliance declarations (especially concerning CVE monitoring, vulnerability handling as well as patch and update management). Upon customer’s request the report can be made available via a Dependency Track instance hosted by emlix. It allows extended options for visualization and further analyses of SBOM and CVE data.
• Vulnerabilities, risks and mitigations will be discussed with our customer in regular meetings.

Mitigation (updates and patches)

• Upon request we support our customers in release planning and update management. emlix embedded Linux experts prepare new releases with all relevant updates and patches as agreed with our customer. Sometimes ad hoc updates are required due to some severe security issue. Typically our customer will integrate regular updates in usual product care cycles.

Customer benefits

emlix Vulnerability Management provides you with:

• maintenance of an initial product security level via continuous identification and assessment of vulnerabilities and mitigation measures (Vulnerability tracking).
• a highly efficient product and application specific risk assessment by experienced experts that leads to a significant cost and risk reduction during product maintenance.
• a transparent and understandable presentation and reporting of vulnerabilities, risks and mitigation measures with meaningful comments and recommendations.
• valid information for supplier security compliance declarations and reports as part of customer’s vulnerability disclosure process
• the means to plan releases and updates
• an efficient and cost-effective feasibility.

The emlix CVE Security Lifecycle Management and – optional – the patch and update management is designed with respect to different standards and regulations and thus contributes to the compliance argumentation of your product with regard to cybersecurity.