传统Linux平台的生命周期安全

KEEPING THE FOCUS ON INNOVATION It’s a common challenge for network equipment companies: The pri-ority is creating breakthrough innovations, not supporting and main-taining legacy software on deployed equipment. But the unfortunateconsequence, all too often, is a buildup of technical debt, higher securityrisks, and unstable software platforms. Highlights Global network equipment andsolutions provider leveragesStudio Linux Services toidentify, prioritize, andremediate critical vulnerabilityexposures (CVEs) on its legacyYocto Project Linux platformand implement ongoingsecurity testing and updates tomeet SLAs for end customers(mobile service providers,device manufacturers, etc.). In the case of one long-term Wind River®customer, a network equip-ment and solutions provider known globally for its advances in auto-mated, cloud-accessible networks, the laser focus on innovation meantroutine maintenance of its Yocto Project Linux platform took a backseat. With service level agreements in place with the end customer, thedevelopment team realized late in the game that it couldn’t deploy newsoftware until all critical security risks in the OS were found and fixed. Challenges The solution:Wind River Studio Linux Servicesportfolio, which includesthe lifecycle security service. Using the carefully curatedCVE scanner,Wind River experts identified more than 1,500 CVEs on the customer’slegacy Linux platform, of which more than 80 were critical. •Business priority is innova-tion, resulting in accumula-tion of technical debt•Difficult to assign valuableengineers to find and fixCVEs on an ongoing basis•No lifecycle strategy formaintaining legacy Linuxplatform translates todifficulty meeting SLAs ofend customers The Wind River team analyzed the true impact of the CVEs and col-laborated with the company’s engineers to prioritize the vulnerabilitiesneeding immediate attention. In addition, Wind River is providing ongo-ing security management and implementing quality checks and testingon the customer’s hardware, with nightly builds to ensure ongoing, high-quality fixes for its OS platform and BSPs. The Studio Linux Servicesteam also provided online release dashboards and reports to track fixesand progress, with release notes and artifacts to capture the CVEs anddefects fixed in a release. The net result: The customer no longer needs to worry about its baseLinux platform getting in the way of deploying new services. With reli-able and timely security fixes and ongoing, comprehensive testing per-formed by Wind River experts, the company can focus on its strength:creating new innovations in middleware, applications, and devices. Andit can accelerate time-to-market for new offerings that excite custom-ers and drive higher revenue. Studio LinuxServices Solution •Lifecycle Security Service•CVE identification, prioritiza-tion, and mitigation using theWind River CVE scanner tool•Quality checks and testingon the customer’s hardware•Online release dashboardsand reports to track fixesand progress Outcomes •Reduction in the costof finding and fixingCVEs compared to usinginternal resources andmethodologies•Ability to meet end-customerSLAs with confidence•Avoidance of ongoing accu-mulation of technical debt•Continued focus oninnovation and time-to-market rather than softwaremaintenance Along the way, the company is saving a huge amount of time andmoney. According to the Linux Foundation, the average “request to fix”time for Linux CVEs is 100 days. With Wind River, finding and fixing theCVEs was much faster and more cost-efficient than doing it internally.Moreover,the Wind River fixes are already validated on multipleplatforms, translating to faster deployments, which helps avoid missedSLAs and penalties. Simply put, Studio Linux Services are a faster, smarter way to saveresources and keep the focus on innovation, not CVEs. Try our security scanning service for free at:www.windriver.com/services/linux.