Penetration test results included in Mender support subscription

2nd May 2017

We get asked about Mender’s focus relative to other options available to do OTA updates for connected Linux devices. The broad answer is ease-of-use, robustness and security. We have conducted a large number of user tests and the most common alternative to Mender is a homegrown update mechanism. From a large sample size, we’ve found it can take a full time employee several months for a very rudimentary updater to well over a year for a more feature-complete one, especially with respect to a management server.

And in most cases - as OTA was only considered near the end of the design cycle - many of the security features were not given the time it needed due to time-to-market pressure. Thus the vast majority of homegrown updaters lacked the comprehensive security requirements to ensure a safe process. This is why we created Mender and open sourced it. Software updates are a fundamental security hardening component for systems. And given the poor state of security with malware such as Mirai, Hajime, and BrickerBot successfully targeting Linux devices, IoT patching needs our attention. In our continuing efforts to provide a more secure offering, Mender recently went through a 3rd party penetration test with positive results. While Mender’s client and management server are open source, we do want to build a sustainable business model around the freely available core.

As a value-add to our customers for our support subscription, we are providing the full test results of this external security audit for peace-of-mind and for our customers to meet compliance requirements. We notify subscribers to our commercial support immediately of any discovered vulnerabilities as they are found by either the Mender team or 3rd party auditors - with specific guidance on what needs to be done (e.g. whether it requires an upgrade to a specific Mender version).

Let us know if you have any questions on this. We are more than happy to provide any additional clarification.