The introduction of the EU Cyber Resilience Act (CRA) mandates that manufacturers and distributors of digital products with internet connectivity must provide a detailed Software Bill of Materials (SBOM). This requirement aims to expose potential software vulnerabilities, allowing them to be addressed promptly.
Under the CRA, networked devices, machines, and systems are required to have an exhaustive list of all programs, libraries, frameworks, and dependencies, including precise version numbers, licencing information, authorship details, and known security vulnerabilities. Manufacturers are facing challenges due to incomplete data from suppliers, resulting in SBOMs that often lack the necessary information to meet EU regulatory standards.
SBOM enhancement by ONEKEY
ONEKEY has introduced an innovative update to its platform, enhancing its capability to assess device
Düsseldorf-based cybersecurity firm ONEKEY has introduced an innovative update to its platform, enhancing its capability to assess device software (firmware) for security threats and generate enriched SBOMs.
These comprehensive Software Bills of Materials not only highlight vulnerabilities but also provide risk assessments within a single, consolidated file. According to ONEKEY's CEO, Jan Wendenburg, this turns the SBOM into a "security passport" that incorporates risk evaluation.
Wendenburg further stated, "The often complex supply chains and the frequent lack of understanding of EU-specific regulations among suppliers outside the European Union make it difficult to comply with the requirements of the Cyber Resilience Act." He views the new platform feature as a substantial step forward in addressing these compliance challenges.
Expanding beyond detection
The addition of this feature is part of ONEKEY’s broader strategy to bolster its platform, moving beyond mere vulnerability detection. Previously focused on identifying software weaknesses, the platform now aims to support manufacturers in managing these vulnerabilities more efficiently. "Identifying deficiencies is only the first step," comments Wendenburg. The enhanced platform aims to streamline cumbersome manual tasks, facilitating easier CRA compliance.
Through automated workflows, contextual evaluations, and audit-ready documentation, security and compliance teams can react more swiftly and adhere to regulatory standards. Wendenburg emphasised, "By enabling the platform to take on more and more routine tasks, we are giving specialists more time to focus on their most important task: maximising the security of their devices, machines, and systems."
The EU Cyber Resilience Act (CRA) stipulates that, in future, manufacturers and distributors of digital products with an internet connection must provide a Software Bill of Materials (SBOM). This will help to identify potential software vulnerabilities that could be exploited by hackers so that they can be remedied in a timely manner.
The CRA therefore requires a detailed list of all programs, libraries, frameworks, and dependencies for networked devices, machines, and systems, without exception, including the exact version numbers of the individual components, information on the respective licences, details of the authors, and an overview of all known vulnerabilities and security gaps. Many manufacturers struggle to meet these requirements, mainly because they do not receive complete information from their suppliers.
For this reason, many SBOMS are incomplete, outdated, or lack context regarding vulnerabilities. These incomplete and sometimes outdated Software Bills Of Materials are unusable for the mandatory documentation requirements imposed on manufacturers by EU regulations.
SBOM as the new security passport
The Düsseldorf-based cybersecurity company ONEKEY has now added a new feature to its platform that checks device software (firmware) for security vulnerabilities and enables the generation of so-called enriched SBOMs. These expanded Software Bills Of Materials contain all relevant information about vulnerabilities.
The SBOMs generated in this way fully meet all industry requirements. As well as containing the vulnerabilities with risk classification, they also provide evidence and justifications in a single, easy-to-use file.
“This transforms the SBOM from a mere bill of materials into a kind of security passport with integrated risk assessment,” explained Jan Wendenburg, CEO of ONEKEY. He knows from many discussions with manufacturers: “The often complex supply chains and the frequent lack of understanding of EU-specific regulations among suppliers outside the European Union make it difficult to comply with the requirements of the Cyber Resilience Act.” According to ONEKEY, the new functionality is a significant step towards overcoming this hurdle.
Beyond detection: Comprehensive vulnerability management
This latest feature forms part of an initiative to expand the ONEKEY platform, providing even better support for comprehensive software security vulnerability management. Until now, the platform has primarily focused on the detection of software vulnerabilities. “Identifying deficiencies is only the first step,” says Jan Wendenburg, “now we are taking further steps to relieve manufacturers as much as possible of time-consuming manual tasks and help them achieve CRA compliance.”
Automated workflows, contextual assessments, and audit-ready documentation will enable security and compliance teams to respond more quickly and act in a regulatory-compliant manner. “By enabling the platform to take on more and more routine tasks, we are giving specialists more time to focus on their most important task: maximising the security of their devices, machines, and systems,” says Jan Wendenburg, says Jan Wendenburg, outlining the company’s strategy.
