in your code? - Wind River · security vulnerabilities 1400000 200000 400000 600000 800000 1000000...
Transcript of in your code? - Wind River · security vulnerabilities 1400000 200000 400000 600000 800000 1000000...
™
Sources
1. http://www.mcafee.com/us/security-awareness/articles/mcafee-labs-threats-predictions-2016.aspx
2. https://www2.fireeye.com/WP-Zero-Day-Danger-LP.html
3. https://nvd.nist.gov/
4. http://www.slideshare.net/blackducksoftware/2015-future-of-open-source-survey-results
5. https://cve.mitre.org/
Learn how Wind River security monitoring can help you keep your devices protected after deployment: windriver.com/products/linux/security.
19%
310 days
6,270
Knock-Knock: Who’s There?Zero-Day Exploits Like Heartbleed,
Shellshock, and OpenSSL
2015
2016
2015
2016
Low
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000
Medium
High
Critical
CriticalHighMediumLow594
186
3,497
2,281
1,255
1,702
1,213
1,054
2015–2016 Trends
16.34% of vulnerabilities are critical.McAfee predicted that non-Windows systems would be highly targeted in 2016.
Critical Vulnerabilities and Exposures (CVEs) per year on average over the last 5 years
High severity CVEs doubled from 2015 to 2016.
2016 Vulnerabilitiesby Severity
Vulnerabilities discovered by cybercriminals remain unknown to the public for an average of 310 days. That gives cybercriminals ample time to steal organizations' most valuable assets.
The Bad
The Good
Increasing abundance of open source projects
Opportunities and Challenges with Keeping Your Code Secure
Monitoring is not very glamorous. Current research shows that developers are always excited to work on the next emerging technology, not necessarily updating the base platform.
67%don’t monitor open
source code for security vulnerabilities
1400000
200000
400000
600000
800000
1000000
1200000
02007 2009 2011 2013 2015
Using open source enables users to take fast action. Information about vulnerabilities surfaces quickly through legions of users and researchers.
Low
Medium
High
Critical
The Price of Protection
Yearly cost to staff a security monitoring team
Khighly skilled engineers
required to investigate
and address yearly CVEs
attacks
wateringholecode
action-script
exec
utio
n
man--
in the
middle
attacks
Wind River Linux fixed 5157CVEs in its Linux products in 2016.
More Connected Devices = More Data = More Risk
What’s
in yourlurking
code?
Security in the Connected Era
2.88%
35.37%
16.34%
41.90%
Wind River Keeps You Safe
MonitoringMonitoring specific security notifications from US Government
agencies and organizations like NIST, US CERT, and also public
and private security mailing lists.
AssessmentDetermining whether any supported Wind River product is
actually susceptible to the vulnerability.
NotificationNotifying affected customers of the level of susceptibility.
RemediationCreating patches for vulnerabilities even before the community
publicly announces them, or in the monthly product updates.
32.2 ZBMore Data
1BMore Users
8.1B MoreInternet-Connected
Devices
95.6 EB MoreNetwork Traffic