The European Union's Cyber Resilience Act (CRA) mandates that companies involved in the manufacture and distribution of internet-connected digital products provide a Software Bill of Materials (SBOM). This requirement is designed to assist in identifying software vulnerabilities that hackers might exploit, facilitating timely remedies.
The CRA specifies that this SBOM must be a comprehensive list covering all programs, libraries, frameworks, and dependencies for networked devices, machines, and systems. The list must include specific version numbers, licensing details, author information, and an overview of known security vulnerabilities. However, many companies face challenges in meeting these requirements, largely due to incomplete information from their suppliers.
Challenges with Current SBOMs
Many existing SBOMs are problematic; they are incomplete, outdated, or lack crucial context regarding vulnerabilities, rendering them unusable for the mandatory CRA documentation requirements.
Manufacturers struggle, particularly due to complex supply chains and suppliers' lack of understanding of EU regulations, leading to compliance difficulties.
ONEKEY's Enhanced SBOM Solution
Düsseldorf-based cybersecurity firm ONEKEY has introduced a new feature on its platform
Düsseldorf-based cybersecurity firm ONEKEY has introduced a new feature on its platform aimed at addressing these challenges. This enhancement enables devices' software (firmware) to be checked for security vulnerabilities, generating what are termed enriched SBOMs.
These enriched versions offer all necessary details on vulnerabilities, complete with risk classifications, evidence, and justifications, thereby meeting industry standards and documentation needs comprehensively.
A Transformative Approach
"This transforms the SBOM from a mere bill of materials into a kind of security passport with integrated risk assessment," explained Jan Wendenburg, CEO of ONEKEY.
According to Wendenburg, the difficulty in compliance partly stems from complex supply chains and the lack of awareness among non-EU suppliers about specific EU regulations.
Advancing Vulnerability Management
ONEKEY's enhancement is part of a broader effort to expand its platform's capabilities, which previously focused
ONEKEY's enhancement is part of a broader effort to expand its platform's capabilities, which previously focused primarily on detecting software vulnerabilities. "Identifying deficiencies is only the first step," stated Wendenburg, "now we are taking further steps to relieve manufacturers of time-consuming manual tasks and help them achieve CRA compliance."
The platform also aims to automate workflows, provide contextual assessments, and create audit-ready documentation, which should enable security and compliance teams to respond more quickly and in a manner compliant with regulations.
Streamlining Security Efforts
Automating routine tasks will allow specialists to concentrate on maximizing the security of their devices, machines, and systems, according to Wendenburg, outlining ONEKEY’s strategic vision.
The company’s new functionality aims to streamline and improve the overall process of CRA compliance for manufacturers, allowing for more effective management of software security vulnerabilities within a regulatory framework.
Find out about secure physical access control systems through layered cybersecurity practices.
