Embedded systems are regularly found to lack modern security-focused designs and implementations, despite decades of advancements in the field of computer security. Although the emergence and adoption of projects such as Yocto and OpenEmbedded have made it easier to develop and maintain firmware for embedded Linux systems, NCC Group has often found that engineering teams are not utilizing these tools to their full potential. As a result, security assessments yield numerous findings that could have been detected and remediated much earlier in the product life cycle.
This whitepaper introduces functionality available within the Yocto ecosystem that can be leveraged to integrate security-focused QA into firmware build processes. By adopting the practices and guidelines presented in this paper, your team will be able to improve their baseline security posture and obtain more value from their investments in product security.