MathEmbedded's services aim to save you money and time-to-market. We will help you to create world-leading products that help protect your valuable brand and reduce the risk of expensive liabilities.
Our Areas of Expertise
MathEmbedded have many years of experience securing connected devices for a wide range of companies and in a number of diverse market areas. We understand device-level security and system level security, along with the need for pragmatic security that is proportional to the level of protection you need.
We can work with your Board, senior management, programme and project managers and your security engineers during all phases of the product security lifecycle.
- Provide advice and consultancy on all aspects of software security including threat modelling, security architecture and system design
- Implement specialist security software and firmware
- Provide security assurance for your system and software : software review, security audit, independent security reviewer
- Bring your development team and management up to speed in security awareness, knowledge and skills
We specialise in network connected devices (embedded systems) running complex software environments including Linux, Android and QNX but are also very familiar with low-level "bare metal" software and RTOS environments.
We work with silicon manufacturers, silicon IP vendors, OEMs/ODMs, security companies, operators, automotive equipment manufacturers, consumer electronics manufacturers and many others.
MathEmbedded provide a number of services required for the implementation of a Secure Software Development Lifecycle. We also regularly "retrofit" security onto existing systems and connected products.
Security Requirements capture
It’s important to know exactly what you’re trying to protect and why. This will then guide appropriate protection measures and help to avoid costly “endless” and ineffective security measures.
MathEmbedded can help you to capture the overall security goals and specific, measurable and testable security requirements for your projects based on your own requirements and those which must be met for compliance to third party security specifications and robustness rules.
Security architecture and design
The security requirements can be used to review the system architecture and design for a project and modify it if necessary to ensure that it fulfils those requirements.
MathEmbedded can provide the expertise to help you produce an architecture that supports both the functional requirements and security requirements for your project.
System threat modelling
A system design needs to be checked to see what attacks it may be vulnerable to. A threat model takes a design and identifies potential vulnerabilities. Using the security goals and requirements then the vulnerabilities can be assessed for the risk that they pose.
By knowing the vulnerabilities, attack mitigation measures and strategies can be constructed.
Unlike application-level threat models, MathEmbedded also considers the tighter integration in embedded systems between the operating environment and the application and takes this into account in the threat model.
MathEmbedded can support you in developing a threat model for your project, performing a risk assessment and developing mitigation measures.
Security assessment reviews
In a secure software development process there should be an internal review following security architecture and threat modelling stage. This is normally held as a 1 or 2 day workshop involving security architects, project owners, project managers, developers and testers.
The purpose of this review is to validate the architecture and the threat model and to agree the risk analysis performed and rank the mitigation measures in priority of risk.
Having a priority-ordered list of mitigations allows the implementation to be planned in a cost effective manner by dealing with the highest risk issues first within a limited time and cost budget.
MathEmbedded can act as an independent security assessor in security assessment review workshops. If you haven’t performed a security assessment before, then MathEmbedded can guide you through the process.
Security implementation service
We can develop application software, low-level software and firmware to run in a secure environment. All software is developed using a secure software development methodology.
If you have a project that requires specialist software development services then please contact us.
As well as the applications running on embedded systems needing to be secure, the operating environment also needs to be secured and correctly configured.
MathEmbedded are experts in hardening complex OS environments such as Linux, Android, QNX and RTOS in order to provide increased security.
We regularly risk assess complex end-to-end security of embedded devices and M2M/IoT systems. Please see our whitepaper on vulnerability assessment for why we believe vulnerability assessments are the best method for determining your security risk.
MathEmbedded do not perform penetration testing. We are sometimes asked to provide this as an additional check following a vulnerability assessment but we believe that this must be independent of the assessment. For this reason many of our partners can provide such a services and we can recommend a reputable test house based on your requirements upon request.
MathEmbedded can support you following initial release of your connected device. This includes:
- Vulnerability tracking : we can track vulnerabilities in the software components used in your device (for example, operating system and critical system libraries). We will then evaluate the risk and let you know when you should provide critical security updates.
- Incremental threat model updates to the release security baseline and incremental security assessments when the software is updated to ensure the system remains protected.
Application security: Independent source code reviews
MathEmbedded can perform an independent review of your software application.
This can be based on your threat model or we can construct one for you.
Validation: Independent system security audit
MathEmbedded can perform an end-to-end security audit of your system including connected device, network connections and other m2m communications, server side and web interfaces.
This can be based on your threat models and security requirements or we can construct them for you.
MathEmbedded provide a number of embedded security training courses. Please see our training page for more information.
Product cybersecurity review
MathEmbedded can perform a rapid connected device product cybersecurity review to highlight areas and risks that may require further attention.
Please contact us for more information on any of the services mentioned.