The EU Cyber Resilience Act
BOMs for software are coming soon
Providers related to the topic
The European Cyber Resilience Act (CRA) stipulates that software products must contain so-called “Software Bill of Materials” in the future. These are inventory lists with all the components of a software used. In this way, both the development process and the use should become safer.
Providers and users should familiarize themselves with SBOMs, as their provision will soon be required.
(Image: freely licensed, Innovalabs / Pixabay)
Which code fragments were used when creating a software? In the future, there will be electronic parts / parts lists, so-called “Software Bill of Materials” (SBOMs). This is provided for in Part 2 of the Technical Directive TR-03183 of the Federal Office for Information Security (BSI). It will soon be made mandatory by the legislator, in the USA SBOMs are already required by US Executive Order 14028 of May 2021 for applications in the regulatory environment. Since March 2023, SBOMs for medical devices have to be submitted for approval by the FDA (Food and Drug Administration).
An SBOM documents which commercial and free software components are contained in software products. It makes dependencies on third-party components transparent and thus helps to monitor vulnerabilities. Software BOMs are one of the central requirements of the European Cyber Resilience Act (CRA), which has been available as a draft of the EU Commission since September 2022 and is currently in the legislative process.
Implementation is urgently required
Its implementation is urgent: according to Gartner, almost two thirds (61 percent) of US companies were directly affected by an attack on the software supply chain from April 2022 to April 2023. The analysts also report a three-digit increase in attacks on code, tools, open source components and development processes. This underlines the urgency of SBOM. The implementation of the practices and recommendations on this could arm security and risk management managers in companies against attacks on the software supply chain.
“Numerous cyber security incidents in recent years show that considerable dangers emanate from undetected installed device software or firmware. Many of these vulnerabilities are due to immature security practices. A software bill of materials makes the components with vulnerabilities visible,“ also reported Jan Wendenburg, CEO of the security expert Onekey.
Automation shortens long process
Oliver Dehning, Head of the Competence Group (KG) Safety in the eco association.
(Photo by eco)
However, Wendenburg also points out challenges when creating software BOMs: The sheer abundance of SBOM information and the possible differences in the structure of SBOMs make it difficult to create them, they mean a lot of effort for every creator. Wendenburg advises tools for the automation of such lists.
For the comparison of an SBOM with vulnerability information such as the CVE (Common Vulnerabilities and Exposures) or security advisories of the component creators or vendors, an analysis of the software itself is also still necessary. This process in the context of vulnerability management for the product can be lengthy, its result must then be made available to the users of the software as a security advisory or Vulnerability Exploitability eXchange (VEX).
The eco Association of the Internet Industry also strongly advises providers to take care of SBOMs immediately: “Providers and users should familiarize themselves with SBOMs, as the provision of SBOMs will soon be required by providers in many market areas. Users should already be demanding SBOMs from their suppliers today, even if many providers are not yet able to provide them,“ says Oliver Dehning, Head of the Competence group (KG) Safety at the eco association.
(ID:49880895)
As of 30.10.2020
It is a matter of course for us that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our privacy policy.
Consent to the use of data for advertising purposes
I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of §§ 15 et seq. AktG (hereinafter: Vogel Communications Group) may use my e-mail address for sending editorial newsletters. Lists of the respective associated companies can be found here.
The newsletter content covers products and services of all the aforementioned companies, including, for example, trade magazines and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as further (editorial) newsletters, competitions, lead campaigns, market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number has also been collected, it may be used for the submission of offers of the aforementioned products and services of the aforementioned companies and market research.
If I call up protected content on the Internet on portals of the Vogel Communications Group, including its affiliated companies within the meaning of §§ 15 et seq. AktG, I must register with additional data for access to this content. In return for this free access to editorial content, my data may be used for the purposes mentioned here within the meaning of this consent.
Right of revocation
I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent until the revocation. To explain my revocation, I can, as a possibility, do this under https://contact.vogel.de use the available contact form. If I no longer wish to receive individual newsletters I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information on my right of withdrawal and its exercise as well as on the consequences of my withdrawal can be found in the privacy policy, section Editorial Newsletters.
