ONEKEY Enhances SBOM For CRA Compliance

The European Union's Cyber Resilience Act (CRA) mandates that companies involved in the manufacture and distribution of internet-connected digital products provide a Software Bill of Materials (SBOM). This requirement is designed to assist in identifying software vulnerabilities that hackers might exploit, facilitating timely remedies.

The CRA specifies that this SBOM must be a comprehensive list covering all programs, libraries, frameworks, and dependencies for networked devices, machines, and systems. The list must include specific version numbers, licensing details, author information, and an overview of known security vulnerabilities. However, many companies face challenges in meeting these requirements, largely due to incomplete information from their suppliers.

Challenges with Current SBOMs

Many existing SBOMs are problematic; they are incomplete, outdated, or lack crucial context regarding vulnerabilities, rendering them unusable for the mandatory CRA documentation requirements.

Manufacturers struggle, particularly due to complex supply chains and suppliers' lack of understanding of EU regulations, leading to compliance difficulties.

ONEKEY's Enhanced SBOM Solution

Düsseldorf-based cybersecurity firm ONEKEY has introduced a new feature on its platform

Düsseldorf-based cybersecurity firm ONEKEY has introduced a new feature on its platform aimed at addressing these challenges. This enhancement enables devices' software (firmware) to be checked for security vulnerabilities, generating what are termed enriched SBOMs.

These enriched versions offer all necessary details on vulnerabilities, complete with risk classifications, evidence, and justifications, thereby meeting industry standards and documentation needs comprehensively.

A Transformative Approach

"This transforms the SBOM from a mere bill of materials into a kind of security passport with integrated risk assessment," explained Jan Wendenburg, CEO of ONEKEY.

According to Wendenburg, the difficulty in compliance partly stems from complex supply chains and the lack of awareness among non-EU suppliers about specific EU regulations.

Advancing Vulnerability Management

ONEKEY's enhancement is part of a broader effort to expand its platform's capabilities, which previously focused

ONEKEY's enhancement is part of a broader effort to expand its platform's capabilities, which previously focused primarily on detecting software vulnerabilities. "Identifying deficiencies is only the first step," stated Wendenburg, "now we are taking further steps to relieve manufacturers of time-consuming manual tasks and help them achieve CRA compliance."

The platform also aims to automate workflows, provide contextual assessments, and create audit-ready documentation, which should enable security and compliance teams to respond more quickly and in a manner compliant with regulations.

Streamlining Security Efforts

Automating routine tasks will allow specialists to concentrate on maximizing the security of their devices, machines, and systems, according to Wendenburg, outlining ONEKEY’s strategic vision.

The company’s new functionality aims to streamline and improve the overall process of CRA compliance for manufacturers, allowing for more effective management of software security vulnerabilities within a regulatory framework.

Show full press release

The EU Cyber Resilience Act (CRA) stipulates that, in future, manufacturers and distributors of digital products with an internet connection must provide a Software Bill of Materials (SBOM). This will help to identify potential software vulnerabilities that could be exploited by hackers so that they can be remedied in a timely manner.

The CRA therefore requires a detailed list of all programs, libraries, frameworks, and dependencies for networked devices, machines, and systems, without exception, including the exact version numbers of the individual components, information on the respective licenses, details of the authors, and an overview of all known vulnerabilities and security gaps. Many manufacturers struggle to meet these requirements, mainly because they do not receive complete information from their suppliers.

For this reason, many SBOMS are incomplete, outdated, or lack context regarding vulnerabilities. These incomplete and sometimes outdated Software Bills Of Materials are unusable for the mandatory documentation requirements imposed on manufacturers by EU regulations.

SBOM as the new security passport

The Düsseldorf-based cybersecurity company ONEKEY has now added a new feature to its platform that checks device software (firmware) for security vulnerabilities and enables the generation of so-called enriched SBOMs. These expanded Software Bills Of Materials contain all relevant information about vulnerabilities.

The SBOMs generated in this way fully meet all industry requirements. As well as containing the vulnerabilities with risk classification, they also provide evidence and justifications in a single, easy-to-use file.

“This transforms the SBOM from a mere bill of materials into a kind of security passport with integrated risk assessment,” explained Jan Wendenburg, CEO of ONEKEY. He knows from many discussions with manufacturers: “The often complex supply chains and the frequent lack of understanding of EU-specific regulations among suppliers outside the European Union make it difficult to comply with the requirements of the Cyber Resilience Act.” According to ONEKEY, the new functionality is a significant step towards overcoming this hurdle.

Beyond detection: Comprehensive vulnerability management

This latest feature forms part of an initiative to expand the ONEKEY platform, providing even better support for comprehensive software security vulnerability management. Until now, the platform has primarily focused on the detection of software vulnerabilities. “Identifying deficiencies is only the first step,” says Jan Wendenburg, “now we are taking further steps to relieve manufacturers as much as possible of time-consuming manual tasks and help them achieve CRA compliance.”

Automated workflows, contextual assessments, and audit-ready documentation will enable security and compliance teams to respond more quickly and act in a regulatory-compliant manner. “By enabling the platform to take on more and more routine tasks, we are giving specialists more time to focus on their most important task: maximizing the security of their devices, machines, and systems,” says Jan Wendenburg, says Jan Wendenburg, outlining the company’s strategy.

Download PDF version Download PDF version

Add as a preferred source on Google