0

I've embedded system software with listed vulnerabilities from a static code analyser tool. Since it is an embedded system, and I don't have access to some of the source code (being 3rd party) for which vulnerabilities have to be fixed, what can I do in this scenario?

Access to source code = no issue, all bugs can be fixed.

It is only a specific question where access to source code is not available.

Improve this question
4
  • Be wary of fixing vulnerabilities by decompiling / fixing / recompiling as any subsequent patch from the official vendor might not be applicable anymore Commented Sep 19, 2016 at 11:47
  • How did you run code analysis without having access to source code? I mean the part you said it's 3rd party and don't have access to it. Commented Sep 19, 2016 at 14:25
  • I already mentioned that its embedded system and a good portion of it is from 3rd Party i.e. code generated by Google Proto Buff code generator. You can Commented Sep 19, 2016 at 17:13
  • you run it basically from build environment. If that helps your question. Commented Sep 19, 2016 at 17:30

1 Answer 1

Reset to default
1

In that scenario, I would reach out to the vendor. If you are one of their customers you should have a support model for ongoing issues. If it was developed or purchased with no ongoing support you might have to pay for a update. You should come up with a options paper for management eg:

  1. Do nothing and the risks associated
  2. Have company abc develop and publish a update
  3. Purchase a up to date competing application with ongoing support
  4. Mitigate the vulnerability some how (Cant expand as haven't got the details)
Improve this answer
2
  • As I mentioned that its an open source tool like "Google Proto Buff code generator" where the access to the code is not possible. You just input your data here and code is generated. Commented Sep 19, 2016 at 9:10
  • You didn't clearly mention in your question that the tool is "Open Source" but your saying the source code isn't available so its not really open source then. Your business made a choice when they went with this solution, They opted for a solution that provides decreased supportability and now they are paying for it. Its all now down to a financial decision from the business. Commented Sep 20, 2016 at 1:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.