Technical Tactics: Embedded Linux Software BOM

Presented at BSidesLV 2017, July 26, 2017, 10:30 a.m. (10 minutes).

Manufacturers in the medical, industrial and automotive industries can no longer just design a product and sell it, unchanged, for a decade. Keeping their products up to date on OS and library versions is crucial for maintaining safety and security. This is a herculean task for many manufacturers. Many do not even know what libraries are installed on their device. Those that do find it hard to keep up to date on known library vulnerabilities. I will go over how to use open source tools to generate a software Bill of Materials for an embedded linux system (even one you didn't design! *wink wink*) and how to cross reference that BOM with the NIST NVD to search for known 3rd party vulnerabilities. I will then show how to integrate that process into a continuous integration system so that you can get automated updates when new CVEs are discovered.

Presenters:

  • daniel beard - Director - MedISAO
    Daniel is VP of Technology at Promenade Software, a medical device software services company and Director of MedISAO, an information sharing and analysis organization specifically targeting small-to-medium medical device manufacturers. Talk to him about anything regarding medical devices, automation or embedded security.

Links: