ONEKEY, a cybersecurity firm based in Düsseldorf, has enhanced its platform capabilities, transforming it from a tool primarily used to identify software vulnerabilities to a comprehensive system designed for vulnerability management.
This expanded platform allows organisations to manage the full lifecycle of Common Vulnerabilities and Exposures (CVEs) by facilitating their detection, assessment, and documentation within a unified workflow.
Adapting to increasing vulnerabilities
The escalation in reported vulnerabilities, which saw a 38% rise with over 40,000 new CVEs in 2024, has complicated the process for manufacturers in keeping abreast of product-specific vulnerabilities.
To address this complexity, ONEKEY has integrated VEX (Vulnerability Exploitability eXchange) data into its security platform, enhancing compliance and transparency across the digital supply chain.
Automated risk assessment
ONEKEY's new feature allows organisations to substantiate that not every vulnerability presents a risk, thus facilitating the documentation process in a standardised format.
This integration supports automated workflows, enabling faster and more precise management of vulnerabilities, leaving manual evaluations behind.
Regulatory compliance and competitive edge
The introduction of this technology aligns perfectly with the forthcoming EU Cyber Resilience Act, which mandates that manufacturers bolster and document their products' defenses against cyber threats by 2027.
The expanded capabilities of the ONEKEY platform offer a strategic advantage, ensuring products meet these evolving legal standards.
Benefits of standardised data
This enhancement will reduce the frequency of compliance-related queries while streamlining certification processes
This enhancement will reduce the frequency of compliance-related queries while streamlining certification processes due to its automated documentation of vulnerabilities.
By catering to the increasing demands for transparency within the supply chain, ONEKEY assists manufacturers in focusing on strategic initiatives rather than administrative responsibilities.
Jan Wendenburg, CEO of ONEKEY, articulated, "We want to give our customers the opportunity not only to find vulnerabilities, but also to prove that their products are secure." The newly integrated risk assessment tools foster a shift from traditional vulnerability detection towards complete management and prioritisation.
Strategies for digital manufacturers
The rise in CVEs requires digital product manufacturers to adopt structured and automated management practices, as discussed by Wendenburg. ONEKEY's strategy aims to cater to these needs, transitioning the platform from vulnerability detection to comprehensive management.
Comprehensive compliance and security
ONEKEY is recognised as a specialist in product cybersecurity and compliance management in Europe, providing a platform that combines automated analysis with expert advice. This ensures rigorous examination and management of product cybersecurity from design to obsolescence.
Leveraging AI technology
Utilising AI-driven solutions, ONEKEY detects critical vulnerabilities within device firmware swiftly, even without source code access.
The platform's capabilities, such as generating Software Bills of Materials and continuous monitoring with "Digital Cyber Twins," position it as a robust solution for managing cybersecurity threats throughout a product's lifecycle.
ONEKEY's integrated Compliance Wizard addresses numerous regulatory standards, including the EU CRA. This tool aids the Product Security Incident Response Team in prioritising vulnerabilities, thereby expediting the remediation process.
Global companies across Asia, Europe, and the Americas are already leveraging the benefits of the ONEKEY platform, coupled with the expertise of ONEKEY Cybersecurity Experts, to enhance their cybersecurity and compliance measures.
Discover how AI, biometrics, and analytics are transforming casino security
Düsseldorf-based cybersecurity company ONEKEY has expanded its platform from a major solution for detecting software vulnerabilities to a fully-fledged environment for vulnerability management.
This enables companies to map the entire process of dealing with so-called “Common Vulnerabilities and Exposures” (CVEs) – from detection and assessment to documented decision-making – in a single workflow that can serve as evidence.
Background: In 2024, the number of newly reported vulnerabilities peaked at over 40,000 CVEs, a 38 percent increase on the previous year. Such a high volume makes it increasingly difficult for manufacturers of networked devices, machines, and systems to keep track of which of their products are specifically affected by a CVE report.
Integration of VEX data
To address this issue, ONEKEY has announced the integration of VEX (Vulnerability Exploitability eXchange) data into its device software security testing platform as part of its management platform alignment.
Although this step may appear technical at first, it is significant: it reduces team workload, accelerates compliance, and improves transparency across the digital supply chain.
New feature
The new feature enables companies to prove that not every vulnerability poses a risk. Not only does it document whether a vulnerability is relevant to the product in question, it also justifies this in a standard format, either individually or embedded in a software bill of materials.
These documents can easily be integrated into automated workflows and tools. This makes tracking and reporting vulnerabilities faster, easier, and more accurate
Automation instead of manual review
Until now, security teams had to manually evaluate each reported CVE vulnerability and justify why it might not pose a risk to the product in question. This often resulted in misunderstandings and time-consuming queries from customers, regulators, and partners.
The new technology solves this problem by standardising the context of a vulnerability. It provides the crucial information on whether a known vulnerability in a specific product can actually be exploited. Through integration into the ONEKEY platform, these vulnerability decisions can now be automated and made traceable.
Competitive advantage
The new integration arrives just in time: The EU Cyber Resilience Act (CRA) stipulates that, in future, manufacturers of networked devices, machines, and systems must significantly increase and document the resilience of their products against cyberattacks.
Adopted in 2024, the CRA will come into full effect at the end of 2027, at which point all connected products offered on the EU market must meet CRA requirements. Given that product development takes two to three years on average, the current expansion of the ONEKEY platform will be of great benefit to manufacturers.
The advantages for companies at a glance:
- Fewer queries from compliance, customers, and partners: Standardised data provides immediate clarity on the status of vulnerabilities and reduces manual communication processes.
- Faster certifications and security approvals: Automated and traceable documentation of vulnerabilities allows products to be certified and approved more quickly.
- Competitive advantage: With this integration, ONEKEY offers customers a solution that meets the growing demand for transparency in the supply chain.
“We want to give our customers the opportunity not only to find vulnerabilities, but also to prove that their products are secure,” explained Jan Wendenburg, CEO of ONEKEY. “With the new integration, we are automating the risk assessment process and helping our customers use their time for strategic rather than administrative tasks.”
ONEKEY strategy
The new integration is part of ONEKEY's corporate strategy to expand the functionality of its security platform beyond simply identifying software vulnerabilities to include additional options for comprehensive CVE management.
This includes prioritisation and documentation to demonstrate whether a vulnerability has been resolved or is irrelevant in the given environment.
“Structured and automated vulnerability management is one of the most important issues for manufacturers of digital products,” said Jan Wendenburg, based on numerous customer discussions.
Growing demand for appropriate functions
With more than 100 new CVEs emerging daily, the implications for product ranges remain unclear. Combined with increasingly strict legal compliance requirements, this has led to considerable uncertainty and, in some cases, excessive demands.
“That's why this fall we are focusing on meeting the growing demand for appropriate functions, to help manufacturers of digital products address the issue of cybersecurity,” said Jan Wendenburg, explaining the ONEKEY strategy. “This marks the transition from pure vulnerability detection to an environment for complete management.”
Product cybersecurity & compliance management
ONEKEY is the major European specialist in product cybersecurity & compliance management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC).
The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access.
Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
Product Security Incident Response Team
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Major international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
