By Amit Ronen, Senior Vice President, Wind River Customer Success
Wind River’s experience with Linux and open source over the past nearly two decades across mission-critical industries is well-known throughout the industry. In fact, according to VDC Research, Wind River is ranked as the market leader in commercial embedded Linux global revenues.
Even as Linux adoption and understanding of community value increase, companies do experience significant challenges related to technical debt - forking from the mainline, failing to stay current, and not upstreaming contributions back to the community. We have been pioneers in the industry to help reduce technical debt from the mission-critical industries we serve, including aerospace, automotive, defense, industrial, medical, and telecommunications.
Only 7% of embedded development professionals track technical debt, but 66% of us experience significant amounts of it in projects and programs we work in from design and all the way through the entire lifecycle of a device or system. Technical debt puts a brake on innovation, reduces project velocity, increases security vulnerability, and in an age where talent is limited, can put a choke hold on resources.
Today we bring together our mission-critical embedded Linux and services expertise, along with our contributions to the Yocto Project community (second largest contributor since the inception of the Yocto Project) for the launch of Wind River Studio Linux Services.
With Studio Linux Services, Wind River is offering the following services:
- Security and Compliance Scanning
- Security and Compliance Analysis and Remediation
- Lifecycle Security
- Lifecycle Performance Assurance
- Architecture and Implementation
The first two Security and Compliance services are designed to help organizations with the exponential increase in security exploitations over the last few years. Applying security safeguards is now a top priority for development teams. Still, these teams may not have the bandwidth or time to remediate security vulnerabilities or the experience of using proper compliance analysis tools. We leverage automated security and compliance scanning, tuned for complex embedded software systems to help developers quickly identify potential vulnerability or license issues in their solution. A professional-grade security and compliance scanner provide developers with a thorough assessment of the potential risks for common vulnerabilities and compliance issues. A vulnerabilities scanning assessment can help flag critical points of concern that require a deeper analysis to determine the impact and effort to mitigate followed by an execution of a remediation plan to help close the technical debt identified. We use a curated collection of data sources, including Yocto, NIST, and other public sources, and from the Wind River Linux, database to flag known common vulnerabilities exposure (CVEs).
Let’s consider the automobile as an analogy -- the first two services are similar to a [security] diagnostics service and mitigation or repair of existing vulnerabilities. The next two services could be comparable to automotive service contracts and are designed to address the lifecycle challenges your project will face as it is deployed and supported for years to come. Post-deployment is often where some of the most difficult challenges and unexpected escalation costs can occur and requires a disciplined approach to managing the risk and exposure to security vulnerabilities, defects, and compliance issues. With the Lifecycle Security and Lifecycle Performance Assurance services, Wind River provides ongoing monitoring and mitigation of known vulnerabilities and defects impacting your project. These tasks require engineering resource commitment and investment that is often not considered during the planning and kick-off phases but will require resources from development to deployment and throughout the operational lifetime of your product.
The two Lifecycle Services provide important features such as continuous security monitoring and on-demand scans of your Linux platform, license usage identification so that you can manage your Linux compliance requirements. We scan for all licenses used in your Linux platform and categorize them based on their permissiveness, copyleft, compatibility, and transitive dependencies. We also provide collaborative triage and assessment where we help your team quickly identify and prioritize the vulnerabilities based on a common vulnerability threshold (CVSS), the severity of impact, and difficulty of attack. We work with teams to build release plans to address the critical and prioritized CVEs and defects, and then we execute this plan and fix the issues highlighted. You can quickly see how implementing these services is a cost-effective way of expanding or augmenting your development team so that they can focus on the core task of building your application services. Again, using the automobile analogy, those two services are the long-term bumper-to-bumper maintenance service most OEMs offer.
Our fifth service, the Architecture and Implementation Service, is where we help move our customers from the ideation phase or proof of concept to a successful deployable product. This incorporates system architecting, feature design and integration, and long-term manageability considerations for the entire software development lifecycle (SDLC). We have successfully used this service for some of our largest Linux customers using open source to innovate new products for the automotive, industrial, medical, and aerospace industries, and now we can apply it to your Yocto-based project.
We understand that some organizations may want to start their Linux journey somewhere other than Wind River Linux. Perhaps they want to leverage a board-specific Linux from a semi-conductor provider like NXP, TI, or AMD. Or they may want to try their hand at building their own Yocto Project-based distribution. Regardless of how an organization sources their Linux platform, there are common challenges everyone must overcome. Studio Linux Services is here to help reduce open source project risk while accelerating time to application deployment, so you can lower your total cost of ownership and focus your valuable resources on innovation.
For more information visit our Studio Linux Services site.