Vulnerability Management for Yocto
Easily monitor, triage and remedy vulnerabilities with Galapagos and our team of engineers. Our actionable reports and personalised service minimises the effort and technical knowledge required to keep your products secure and compliant with cyber security regulations.
Actionable Reports
Our Galapagos service provides you with regular and actionable reports that provides a full summary of the vulnerabilities (CVEs) present in your product. They include:
- Details of each vulnerability including CVSS and EPSS scores – organised by severity
- Changes since the last report allowing you to see what’s new and what’s been addressed
- Information on previously resolved vulnerabilities
- Notifications when newer versions of your upstream or vendor distribution are available
The report provides enough information for you to triage and remedy the vulnerabilities identified, however our team are happy to action the report on your behalf.
Spend Less Time Triaging Vulnerabilities
For every new vulnerability detected, it’s necessary to understand its relevance and potential impact. This requires technical knowledge – and with new vulnerabilities appearing every day, it can also require a regular time commitment.
To reduce the time spent triaging issues, Galapagos automatically filters out irrelevant kernel vulnerabilities based on your kernel configuration. Galapagos will also allow you to automatically filter based on CVSS score, EPSS score and attack vector.
Based on our understanding of your product and any criteria set by you, our team will review the Galapagos reports and recommend suitable actions (ignore, patch, update package, upgrade distro) for the remaining vulnerabilities – thus, saving you time.
Spend Less Time Remedying Vulnerabilities
Remedying a vulnerability requires that a suitable patch be identified and applied to your product. Our team can do this on your behalf allowing you team to focus on building the features that sets your product apart.
How it Works
Galapagos is a cloud based service that emails a vulnerability report upon receiving data from our Yocto layer in your build. It can be used as follows:
- Integrate the meta-galapagos Yocto layer into your platform, we support all LTS versions of Yocto
- Build your platform on a regular basis with our layer enabled, alternatively we can do this for you using our AWS backed CI system
- Receive regular Galapagos reports at a frequency that you desire
- Review the findings of the reports to remedy vulnerabilities
Our service can be used without our engineers time, however most customers provide us with a T&M maintenance budget that allows us to review, triage and remedy vulnerabilities on your behalf. In addition to patching vulnerabilities we can also update your product to the latest version of an upstream or vendor distribution on a regular cadence.
Stay Compliant with Industry Regulations
Our service can assist you in compliance with industry regulations that require or recommend monitoring of security vulnerabilities, such as ETSI EN 303 645 (Cyber Security for Consumer Internet of Things), NIST IR 8259A IoT (Device Cybersecurity Capability Core Baseline) and the Cyber Resilience Act (CRA).
See it in Action
We perform a weekly Galapagos scan for the master and LTS versions of Yocto for their core-image-sato target. Read the Yocto vulnerability reports below: