At the 2022 Embedded World trade show, BG Networks announced open-source software for finding vulnerabilities in Linux / Yocto. This software creates a Software Bill of Materials (SBOM) which checks your software against the NIST National Vulnerability Database (NVD) for known bugs. Software bugs are the footholds that hackers look for to penetrate IoT devices.

 

The “software supply chain” is a term being referred to quite a bit since the Executive Order 14208 was issued last year by President Biden. In that order, the importance of the software supply chains is highlighted.  It has become critical to know what software is in your builds including dependencies (e.g. software that comes from another entity whether it is open source, commercial, or code from a contractor) that are 1, 2, 3, or more levels deep.

 

BG Networks has created a meta-layer for Yocto that, when added to your project builds, creates an SBOM compatible with OWASP’s Dependency-Track. Dependency-Track is a free web-based server tool that checks an SBOM against NIST’s NVD for reported bugs.  We created this meta-layer due to the growing importance of the software supply chain and the benefits and features Dependency-Track offers. The tool has an easy-to-use GUI, allows policies to be created, supports automatic alerts (email, Slack, other), and allows you to track how well you are eliminating vulnerabilities vs previous versions of your software.

 

The goal was to automate the entire process. Once you have installed BG Networks’ Yocto meta-layer, any time you create a new build, a new SBOM will be created and sent to Dependency-Track.  The SBOM will then be scanned, and if vulnerabilities are found, you will automatically be notified. Dependency-Track even checks your existing SBOMs daily in case new vulnerabilities show up in the NIST NVD.

 

BG Networks’ mission is to make sure that every IoT device in the world ships with the cybersecurity that it needs. We do this by offering security automation tools that make adding security easy, training, engineering consulting services, and contributing open-source software. BG Networks believes that contributing open-source software is a particularly effective way of achieving this mission as barriers of cost and questions about code quality and availability are eliminated. We hope our open-source contributions are helpful to you to get started on your IoT cybersecurity journey or to make the journey you are already on a little easier.

 

Details on BG Networks' vulnerability scanning Yocto Linux meta layer can be found here:  www.bgnetworks.com/vulnerability-scanning/

​

Please visit www.bgnetworks.net to learn more about BG Networks, evaluate BGN-SAT security automation tool, or schedule an IoT cybersecurity consultation.