November 2-4 | Napa, California
View More Details

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for the Linux Foundation Member Summit 2021 to participate in the sessions.

Please note that the schedule is subject to change.
Tuesday, November 2 • 4:15pm - 4:45pm
Managing Vulnerabilities at the Snippet Level in Embedded Software - Craig Northway, Qualcomm Technologies Inc

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Scanning and alerting on known vulnerabilities has become an important part of proactive open source management process. This should be a key responsibility of every product security and open source program office. Most vendor tools are focused on the web/application/mobile development ecosystems and typically find vulnerabilities for unaltered dependencies or minimally altered vendored open source. However in embedded software, dependencies may be vendored in source form and modified extensively for the platform. Also embedded build tools such as bitbake allow dependencies to be patched as part of the build. In these cases security scanning can’t just be a static process based on the repository uploaded to your choice of git platform. There is a need to scan during the build process, comparing code against the individual vulnerability patches and their fixes. This can generate a lot of data! In this presentation, we will discuss how we have integrated this vulnerability level scanning into our various environments, the tools we built and will release as open source along with we how we normalize the output and are integrating into our bug tracking and disclosure systems.

avatar for Craig Northway

Craig Northway

Director, Engineering, Qualcomm Technologies, Inc
Craig Northway is a Director Engineering in Corporate Engineering at Qualcomm Technologies Inc. (QTI), a subsidiary of Qualcomm, Inc. Craig manages the Qualcomm Open Source Technology Group, a group formed to improve process, policy and tooling around Open Source software at Qualcomm... Read More →

Tuesday November 2, 2021 4:15pm - 4:45pm PDT
Silverado East