I like your products but this has been cooking inside my head for several weeks now. Have the route10 , controller , and switch. Ive those products been scanned with Rapid7 , Tenable, Qualys, Manage Engine or other vulnerability scanning tool? As far as I know , theres no DISA STIG or CIS baselines for openwrt. Atleast vulnerabilities against openwrt are reported in NIST NVD. I believe the controller is Ubuntu, so you can follow the errata for Ubuntu. If a vulnerability is found , is there Kali Linux/penetration testing to make sure there isn’t a remotely executable hole in an ALTA product? Is there company reporting about vulnerabilities against alta products? I guess this CVE vulnerabilities router10 and controller is a start , but is alta actively scanning for such vulnerabilities?
Alta has mentioned in a few of their livestreams that they monitor for vulnerabilities, but it’s unclear how deep that process goes or what tools they use.
That said, their devices are relatively well locked down. Most OpenWRT-based systems are, by design. But it’s worth noting that Alta’s platform is primarily cloud-managed, and even when accessed locally, you don’t have full control over the firmware. You’re limited to what Alta provides and when they choose to release updates. So in practice, patching and hardening are handled on their terms.
Automated scans on OpenWRT often produce a lot of false positives, since they typically rely on package version matching. Just because a library version is present doesn’t mean it’s exploitable in that environment.
If DISA STIGs or CIS benchmarks are a requirement in your environment, chances are you’re also working off an approved hardware/software list. In those cases, it’s usually vendors like Cisco, Palo Alto, or similar. Those manufacturers often publish their own configuration baselines, which mostly cover things like logging, least privilege, containerization/segregation, and FIPS 140-2 compliance.
In cases where a STIG/SRG isn’t available it’s usually required to use an indirect one and try to use it along with vendor documentation to implement as much of say the CISCO STIG to Alta in this instance. Even knowing most of it would be N/A. But again that is a stretch and only buys time.