Skip to main content

Codiax CVE Monitoring Services

We help you take control over your CVEs

We at Codiax help our customers identify, classify and mitigate CVEs using our
CVE Monitoring Process - CMP

With CMP we provide

  • Frequent scanning of the CVE database for your system
  • Assessment of relevancy of the applicable CVEs
  • Mitigation with updates, patches or system redesign
  • Reporting of final status after mitigation

All open source software contains vulnerabilities that can potentially be exploited, either intentionally or by accident. Results can be extremely serious depending on the impact of the vulnerability and the type of system the software is used in. Some examples of impacts are denial of service, performance degradation, system malfunction and ransomware. Systems that are connected to networks are usually more exposed to threats than systems that are not, but standalone systems may also be exposed. The open source software used in embedded systems needs to be reviewed for known threats and these must be mitigated appropriately.

Common Vulnerabilities and Exposures (CVEs) är ett definierat koncept för att identifiera, definiera och kategorisera offentligt identifierade cybersäkerhetssårbarheter. En CVE-databas finns tillgänglig på Internet och kan användas för att söka efter CVE:er som omfattar koden som används i ditt system.

CVE management

To successfully manage the CVEs that affect a system the following actions and considerations are normally needed

1

Scanning the database to find CVEs that affect the open source components in your system is the first task, then all CVEs that have been found need to be assessed for relevancy. Whether it is relevant to mitigate a CVE for your system or not depends on how your system is designed, and how the software is configured and built. The assessment requires system knowledge as well as adequate tools.
2

When relevant CVEs have been identified they need to be addressed in order to be mitigated. This is done either by code adaptation, change in usage, or possibly through system redesign.
3

After the mitigation, documentation should be created to show the current status of the software used in the system.

Questions that many companies face in relation to CVEs are how this scanning, assessment, mitigation and documentation shall be performed, and how frequently? What knowledge, experience and tools are required?

We at Codiax have many years of experience in this area. We offer our CVE Monitoring Services to our customers, in which we use the CVE Monitoring Process – CMP, to frequently go through all the above steps for our customers' systems.

CMP is a complete process from the first initial set-up to it completion with updated code and documentation. The process can be executed once, but we normally recommend it to be repeated on a regular basis.

CVE övervakningens olika faser

At Codiax we have developed tools that assist in the different phases of the process.

The input to CMP can either be a CVE list from a Yocto build system scanning, or any list of open source packages used in the system. To understand how the system is designed and how the open source packages are used we need access to system documentation. If we also get access to the product build environment, that enables for more efficient assessment and update phases.

With our CVE monitoring services, Codiax can take responsibility for the complete CVE management for you.