Why vulnerability monitoring matters under the Cyber Resilience Act?
According to the European Commission, cyberattacks targeting hardware and software products cost the global economy several trillion euros each year.
One major contributing factor is the lack of timely security updates for products already on the market.
To tackle this issue and better protect users, the Cyber Resilience Act introduces specific requirements focused on product vulnerabilities – those weaknesses that hackers can exploit to disrupt how a device functions.
Now, let’s take a closer look at the four vulnerability management requirements introduced by this regulation.
1. Generating a Software Bill of Materials (SBOM)
Manufacturers are urged by the European Parliament to meticulously list and document the components present in their embedded devices.
Having this comprehensive software inventory, called Software Bill of Materials (SBOM) will facilitate the identification, analysis and patching of their products vulnerabilities.
If you’re using The Yocto Project in your system, here is a quick guide on how to generate your SBOM with Yocto.
2. Monitoring and patching products security vulnerabilities
Device makers are required by the Cyber Resilience Act to diligently manage and address security vulnerabilities in their products. This involves systematically identifying and documenting vulnerabilities and software components, promptly managing and correcting identified vulnerabilities through security updates, and subjecting products to regular and effective security tests and assessments.
3. Communicating vulnerabilities information among stakeholders
The third Cyber Resilience Act vulnerability management requirements is for equipment manufacturers to publicly disclose information about corrected vulnerabilities, including their severity and potential consequences, to ensure users are informed and able to take appropriate actions.
A coordinated vulnerability disclosure policy must be established, along with mechanisms for facilitating the sharing of vulnerability information among stakeholders.
4. Applying regular security updates
Secure distribution mechanisms for updates are crucial to swiftly address exploitable vulnerabilities, ensuring that patches and security updates are disseminated promptly and accompanied by clear instructions for users.
SCA tools to meet these vulnerability management requirements
Numerous Software Composition Analysis tools, such as CVE Scan, are available to help generate component lists like HSBOM (Hardware Bill of Materials) and SBOM (Software Bill of Materials). These tools also assist in regularly identifying and monitoring vulnerabilities within your embedded system when integrated to your CI pipelines.
When selecting a tool, it’s crucial to consider:
- the accuracy of the results to minimize the time spent on maintenance activities
- and data ownership, as this tool will contain information on all the vulnerabilities of your system…
