ONEKEY, a cybersecurity company based in Düsseldorf, has expanded its capabilities from primarily identifying software vulnerabilities to a comprehensive solution for managing Common Vulnerabilities and Exposures (CVEs).
This development supports companies in mapping the entire process of handling CVEs—from initial detection and assessment to documented decision-making—within a single workflow for effective evidence retention.
Rising Vulnerability Reports
In 2024, the total number of newly reported vulnerabilities reached over 40,000 CVEs, marking a 38% increase from the previous year.
This surge is making it increasingly challenging for manufacturers of networked devices, systems, and machinery to determine which of their products are impacted by specific CVE disclosures.
Integration of VEX Data
In an effort to tackle these challenges, ONEKEY has announced the incorporation of VEX (Vulnerability Exploitability eXchange) data into its software security testing platform.
Although this integration might seem technical, it brings practical benefits by reducing team workloads, accelerating compliance, and enhancing transparency throughout digital supply chains.
Streamlining Vulnerability Assessments
The newly introduced feature allows businesses to verify which vulnerabilities are significant threats
The newly introduced feature allows businesses to verify which vulnerabilities are significant threats.
It simplifies the documentation required to evaluate whether a vulnerability is pertinent to a product by incorporating information in standardized formats, either individually or as part of a software bill of materials.
This functionality enables faster, more accurate tracking and reporting by seamlessly integrating with automated workflows and tools.
Automation Over Manual Reviews
Previously, security teams needed to manually assess each reported CVE and justify potential risks, often leading to misunderstandings and time-consuming inquiries from stakeholders.
The new technology standardizes the vulnerability context, providing essential information on whether vulnerabilities can actually be exploited in specific products. Automated and traceable vulnerability assessments are now possible with ONEKEY's platform integration.
Adapting to Regulatory Changes
The integration aligns timely with regulatory shifts such as the EU Cyber Resilience Act (CRA), which mandates increased documentation and resilience against cyberattacks for networked products by the end of 2027.
This act necessitates significant product improvements over a standard development period of two to three years, making ONEKEY's platform expansion a timely solution for manufacturers in meeting CRA requirements.
Benefits for Companies
- Reduced inquiries from compliance teams, customers, and partners through the provision of standardized data that immediately clarifies vulnerability statuses.
- Accelerated product certifications and security approvals due to automated and traceable vulnerability documentation.
- Enhanced competitive positioning by meeting growing demands for digital supply chain transparency.
Jan Wendenburg, CEO of ONEKEY, stated, “We want to give our customers the opportunity not only to find vulnerabilities, but also to prove that their products are secure. With the new integration, we are automating the risk assessment process and helping our customers use their time for strategic rather than administrative tasks.”
Enhancing Platform Capabilities
ONEKEY's expansion is a strategic move to extend the platform's functionality
ONEKEY's expansion is a strategic move to extend the platform's functionality beyond just spotting software vulnerabilities, to encompass comprehensive CVE management options, including prioritization and risk documentation.
"Structured and automated vulnerability management is one of the most important issues for manufacturers of digital products," Wendenburg elaborated, drawing from numerous customer consultations.
Demand for Sophisticated Functions
With the daily emergence of over 100 CVEs, product ranges face significant uncertainty intensified by strict compliance requirements, resulting in considerable pressure on firms.
Wendenburg highlighted their fall focus on addressing increased functionality demands to aid digital product manufacturers in tackling cybersecurity challenges.
Pioneering In Product Cybersecurity and Compliance
As a key player in the sector, ONEKEY is within PricewaterhouseCoopers Germany's investment framework, combining its automated Product Cybersecurity & Compliance Platform (OCP) with expert services for a swift, detailed approach to enhancing product cybersecurity from inception to end-of-life.
Advanced Technological Features
Critical vulnerabilities and compliance violations can rapidly be detected in firmware through AI-based technology, eliminating the need for source codes or devices.
The use of automated Software Bills of Materials (SBOMs) allows companies to audit their software supply chains proactively. Additionally, 24/7 cybersecurity monitoring is enabled by "Digital Cyber Twins," and the ONEKEY Compliance Wizard, covering regulations such as the EU CRA and several others, ensures robust compliance management.
Product Security Incident Response
ONEKEY aids Product Security Incident Response Teams by automatically prioritizing vulnerabilities, hence significantly shortening remediation timelines. Many international firms in Asia, Europe, and the Americas already benefit from the platform, leveraging both ONEKEY's cybersecurity expertise and its compliance solutions.
Discover how AI, biometrics, and analytics are transforming casino security
Düsseldorf-based cybersecurity company ONEKEY has expanded its platform from a major solution for detecting software vulnerabilities to a fully-fledged environment for vulnerability management.
This enables companies to map the entire process of dealing with so-called “Common Vulnerabilities and Exposures” (CVEs) – from detection and assessment to documented decision-making – in a single workflow that can serve as evidence.
Background: In 2024, the number of newly reported vulnerabilities peaked at over 40,000 CVEs, a 38 percent increase on the previous year. Such a high volume makes it increasingly difficult for manufacturers of networked devices, machines, and systems to keep track of which of their products are specifically affected by a CVE report.
Integration of VEX data
To address this issue, ONEKEY has announced the integration of VEX (Vulnerability Exploitability eXchange) data into its device software security testing platform as part of its management platform alignment.
Although this step may appear technical at first, it is significant: it reduces team workload, accelerates compliance, and improves transparency across the digital supply chain.
New feature
The new feature enables companies to prove that not every vulnerability poses a risk. Not only does it document whether a vulnerability is relevant to the product in question, it also justifies this in a standard format, either individually or embedded in a software bill of materials.
These documents can easily be integrated into automated workflows and tools. This makes tracking and reporting vulnerabilities faster, easier, and more accurate
Automation instead of manual review
Until now, security teams had to manually evaluate each reported CVE vulnerability and justify why it might not pose a risk to the product in question. This often resulted in misunderstandings and time-consuming queries from customers, regulators, and partners.
The new technology solves this problem by standardizing the context of a vulnerability. It provides the crucial information on whether a known vulnerability in a specific product can actually be exploited. Through integration into the ONEKEY platform, these vulnerability decisions can now be automated and made traceable.
Competitive advantage
The new integration arrives just in time: The EU Cyber Resilience Act (CRA) stipulates that, in future, manufacturers of networked devices, machines, and systems must significantly increase and document the resilience of their products against cyberattacks.
Adopted in 2024, the CRA will come into full effect at the end of 2027, at which point all connected products offered on the EU market must meet CRA requirements. Given that product development takes two to three years on average, the current expansion of the ONEKEY platform will be of great benefit to manufacturers.
The advantages for companies at a glance:
- Fewer queries from compliance, customers, and partners: Standardized data provides immediate clarity on the status of vulnerabilities and reduces manual communication processes.
- Faster certifications and security approvals: Automated and traceable documentation of vulnerabilities allows products to be certified and approved more quickly.
- Competitive advantage: With this integration, ONEKEY offers customers a solution that meets the growing demand for transparency in the supply chain.
“We want to give our customers the opportunity not only to find vulnerabilities, but also to prove that their products are secure,” explained Jan Wendenburg, CEO of ONEKEY. “With the new integration, we are automating the risk assessment process and helping our customers use their time for strategic rather than administrative tasks.”
ONEKEY strategy
The new integration is part of ONEKEY's corporate strategy to expand the functionality of its security platform beyond simply identifying software vulnerabilities to include additional options for comprehensive CVE management.
This includes prioritization and documentation to demonstrate whether a vulnerability has been resolved or is irrelevant in the given environment.
“Structured and automated vulnerability management is one of the most important issues for manufacturers of digital products,” said Jan Wendenburg, based on numerous customer discussions.
Growing demand for appropriate functions
With more than 100 new CVEs emerging daily, the implications for product ranges remain unclear. Combined with increasingly strict legal compliance requirements, this has led to considerable uncertainty and, in some cases, excessive demands.
“That's why this fall we are focusing on meeting the growing demand for appropriate functions, to help manufacturers of digital products address the issue of cybersecurity,” said Jan Wendenburg, explaining the ONEKEY strategy. “This marks the transition from pure vulnerability detection to an environment for complete management.”
Product cybersecurity & compliance management
ONEKEY is the major European specialist in product cybersecurity & compliance management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC).
The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access.
Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
Product Security Incident Response Team
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Major international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
