News from the Wire

Software inventory list mandatory for all devices in EU

Thursday, December 07, 2023 — 12:29:09 (EST)

Duesseldorf, December 7, 2023 – All upcoming IT security laws – most notably the EU Cyber Resilience Act (CRA-E) – have one thing in common: in future, a Software Bill of Materials (SBOM) will have to prove which software components are contained in a device. "Numerous cybersecurity incidents in recent years have shown that undetected installed software and firmware in devices pose significant risks. Many of these vulnerabilities are the result of immature cybersecurity practices. A software bill of materials (SBOM) makes the vulnerable components visible," says Jan Wendenburg, CEO of ONEKEY. The company, which specialises in IoT and OT cybersecurity, operates a security platform that can be used as a software-as-a-service, which performs an automated review and risk assessment of device software and also automatically creates an SBOM (Software Bill of Materials). With its own security team, consisting of recognised experts and white hackers, ONEKEY has in recent years been able to identify and close serious security vulnerabilities through its own research. "This underlines the urgent need for Software Bill of Materials (SBOMs) that ensure transparent software supply chains and accountability in software production and distribution. Guidelines for this already exist – and with the final adoption of the EU Cyber Resilience Act, SBOMs will soon also become legally binding," Wendenburg continues.

Comprehensive white paper provides guidance and technical support

The German-headquartered European company, which has won several awards for its achievements in the cybersecurity of IoT and OT devices, has produced a comprehensive white paper on the subject in English entitled "Software Supply Chain Regulations: How to Achieve Effective & Efficient SBOM Management". "Creating and maintaining SBOMs is an essential part of the entire software supply chain – not just for manufacturers buying in components, but also for assets with digital elements that have been in use for years. Time and time again, our and other cybersecurity experts find zero-day vulnerabilities in IoT or OT technology that have flown completely under the radar for years," warns Jan Wendenburg of ONEKEY. The white paper, which can be downloaded from this link, highlights all aspects such as form and structure, legal requirements, standardised formats for SBOMs and the special challenges of IoT and OT devices, which contain a large number of hidden software modules and also software from open source, thus providing a guide for effective and efficient SBOM management.

BSI confirms SBOM as a key security component

The German Federal Office for Information Security (BSI) also points out the importance of SBOMs in its technical guideline TR-03183. According to the BSI, SBOMs should be available from every software manufacturer and supplier in order to make the complexity of the programmes used transparent. This knowledge is essential for management processes such as the product life cycle and, in particular, for an end-to-end IoT/OT cybersecurity process. The software bill of materials serves a transparent documentation of the software supply chain.

"The creation and ongoing maintenance of the SBOM must become part of the workflow – both in development (CI/CD pipeline) and in sales and ongoing operations (PSIRT teams) of IoT and OT technology. The automatic creation of the SBOM helps with audits, but most importantely in the event of a crisis, when there is an obligations to provide evidence," concludes Jan Wendenburg of ONEKEY.

About ONEKEY:

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management. The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes - without source code, device or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

Integrated compliance checking already covers the upcoming EU Cyber Resilience Act and existing requirements according to IEC62443-4-2, EN303645, UNR155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.

Contact: ONEKEY GmbH, Kaiserswerther Str. 45, 40477 Duesseldorf, Germany, Sara Fortmann, E-Mail: sara.fortmann@onekey.com, Web: onekey.com

PR agency: euromarcom public relations GmbH, Muehlhohle 2, 65205 Wiesbaden, Germany, Tel.: +49 (0)611-973150, E-Mail: team@euromarcom.de, Web: www.euromarcom.de

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information: bankcardlife.com?orid=33533&opid=1 .

Source: Company press release.