EU Cyber Resilience Act: Key Updates on SBOM Compliance

November 20, 2024November 20, 2024 bbossolacompliance, CRA, cyber-security, cybersecurity, devops, meterian, opensource, regulation, risk, security, technologyLeave a comment

Since our previous discussion on the EU Cyber Resilience Act (CRA) and Software Bill of Materials (SBOMs), significant updates have clarified and expanded the framework for compliance. The European Parliament approved the CRA on March 12th, marking its importance in enhancing product security across the EU. This follow-up explain these developments, focusing on new guidelines and the evolving expectations for SBOM compliance.

New clarity on SBOMs from Germany: TR-03183

To provide more detailed guidance, Germany’s Federal Office of Information Security (BSI) released the Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Part 2: Software Bill of Materials (SBOM)), version 2.0. This 20-page document sets the groundwork for SBOM requirements under the CRA. Key highlights include:

Mandatory SBOM Compilation: An SBOM is essential for meeting CRA compliance.
Minimum Information Requirements: The SBOM must include the component name, version, dependencies, license (preferably using SPDX or ScanCode identifiers), and a SHA-256 hash.
Version-Specific SBOMs: A separate SBOM must be generated for each software version, with updates made only for error corrections or new information.
Preferred Formats: SBOMs must adhere to CycloneDX (v1.4 or higher) or SPDX (v2.3 or higher).
Process Integration: The SBOM must be generated as part of the build process or an equivalent mechanism.

Other recommendations, such as using CSAF with a VEX profile for distributing vulnerability information, aim to enhance transparency without directly embedding vulnerabilities in the SBOM.

Challenges in SBOM Implementation

While TR-03183 provides critical guidance, several unresolved issues highlight the complexities of SBOM creation and usage:

Identification Gaps: The absence of mandatory CPE or PURL requirements makes vulnerability reporting from SBOMs prone to errors.
Undefined “Scope of Delivery”: The guidelines use this term to define the depth of transitive component enumeration but lack clarity on acceptable thresholds.
SHA-256 Ambiguity: The methodology for computing a SHA-256 hash of source code remains unspecified.
Relationship Details: While all transitive components must be recursively included, relationships among them are not explicitly required. This omission can hinder the effectiveness of SBOMs in vulnerability management.

Preparing for CRA Compliance

The CRA’s adoption signals a critical need for manufacturers and software developers to refine their compliance strategies. With enforcement set for early 2027, organisations should prioritise:

Automating SBOM Generation: Tools like Meterian can streamline SBOM creation, ensuring accurate dependency mapping and compliance with CRA’s format requirements.
Enhancing Vulnerability Management: Despite the lack of mandatory CPE or PURL, integrating these identifiers into internal processes can improve accuracy.
Staying Updated: Monitoring updates to technical guidelines like TR-03183 will be vital as CRA implementation progresses.

Looking ahead

The CRA represents a significant step forward in securing the digital ecosystem. By leveraging clear guidelines and robust tools, organisations can align with compliance requirements while strengthening their cybersecurity posture. The publication of TR-03183 marks progress but also underscores the need for continued refinement as industry feedback shapes the future of SBOM practices.

Navigating the complexities of SBOM creation and CRA compliance doesn’t have to be overwhelming. Meterian provides automated solutions designed to simplify the generation and management of SBOMs, ensuring:

Effortless Compliance: Meterian supports both CycloneDX format, helping you meet the CRA’s technical requirements with ease.
Comprehensive Dependency Mapping: Automatically scans your codebase to identify all components and transitive dependencies, ensuring nothing is missed.
Ongoing Vulnerability Monitoring: Integrates seamlessly with vulnerability databases to keep your SBOMs updated and your products secure.
Time-Saving Automation: Embeds SBOM generation into your build processes, reducing manual effort and increasing efficiency.

With Meterian, you can confidently meet CRA requirements while enhancing your overall security posture. Contact us to learn how we can support your journey toward compliance and beyond.

Meeting Compliance Challenges in Healthcare: How Cybersecurity Partnerships Can Lead to Success

July 11, 2024July 11, 2024 bbossolabusiness, compliance, cybersecurity, healththech, SBOM, security, technologyLeave a comment

As healthcare companies face a complex web of EU and US regulations, understanding and adhering to these standards is crucial for maintaining trust and operational continuity. Regulations such as the EU’s Medical Device Regulation (MDR), the Network Information Security (NIS) directive, and upcoming legislation like the Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA) demand meticulous compliance and robust cybersecurity measures.

Specifically, MDR requires stringent oversight of software used within medical devices, demanding thorough documentation and regular updates to ensure safety and performance. Meterian simplifies these tasks by automating the detection of vulnerabilities and outdated components in software, facilitating compliance through comprehensive Software Bill of Materials (SBOMs). These SBOMs provide a detailed inventory of all software components, crucial for MDR compliance, and help healthcare organisations maintain the integrity and security of their medical devices. By streamlining these processes, Meterian not only aids in meeting regulatory requirements but also enhances operational efficiency and reduces the risk of non-compliance penalties.

Meterian stands as a pivotal ally for healthcare companies navigating these regulatory landscapes. By offering tools that facilitate compliance with these stringent regulations, Meterian ensures that healthcare providers can focus more on patient care and less on the nuances of cybersecurity compliance.

The conversation around SBOMs and compliance is growing, and Meterian is leading these discussions with healthcare companies, showcasing how automation and detailed compliance reporting can ease the burden on healthcare providers. Whether it’s a startup or a seasoned enterprise, Meterian’s scalable solutions fit diverse budgets and operational scales, making comprehensive cybersecurity accessible to all healthcare entities.

By partnering with Meterian, healthcare companies not only ensure compliance with current regulations but also prepare for future legislative changes. Meterian’s proactive approach helps companies anticipate and adapt to the regulatory landscape, ensuring that they are always one step ahead in their cybersecurity measures.

Are you ready to elevate your healthcare organisation’s compliance and cybersecurity strategy?

Partner with Meterian today to ensure that your technology infrastructure meets the stringent demands of regulations like the NIS Directive and MDR. Don’t wait until a cybersecurity incident occurs – take proactive steps to safeguard your patient data and systems.

Visit our website or contact us to learn how Meterian can help your healthcare organisation stay secure, compliant, and resilient in an ever-evolving digital landscape.

Ensuring Data Integrity and Security in Healthcare: The Crucial Role of Application Security

June 11, 2024 bbossolacompliance, cyber-security, cybersecurity, CyberUK24, information-security, opensource, risk, SBOM, security, technologyLeave a comment

In the digital age, healthcare companies are guardians of vast amounts of sensitive user data, ranging from personal health records to financial information. With this responsibility comes the challenge of ensuring data integrity and security against the growing threats of cyberattacks and data breaches. Meterian, a leader in application security, is at the forefront of providing solutions that safeguard this critical data.

Healthcare providers harnessing open-source software face unique security risks that require vigilant management and protection strategies. Meterian’s innovative tools actively scan and identify vulnerabilities within applications, ensuring that all components are up to date and secure against potential threats. By leveraging Meterian’s capabilities, healthcare companies can not only protect their patient data but also enhance their overall cybersecurity posture.

Protecting patient records.

In collaboration with Emis Group, a well-established brand in healthcare technology, Meterian has demonstrated its value in real-world applications. Emis has utilised Meterian’s solutions to bolster their applications’ defences, thereby protecting millions of patient records. While our partnership with Emis illustrates Meterian’s capability to handle the complex cybersecurity needs of large enterprises, it’s important to recognise that our solutions are equally effective and accessible for SMEs and startups. Meterian understands the unique challenges faced by smaller organisations, including tighter budgets and limited resources, as our platform is designed to be flexible and scalable.

For healthcare organisations, the fear of missing out on the highest level of security should be a significant concern. Meterian provides an essential layer of security that automates and streamlines the detection and management of vulnerabilities—tasks that would otherwise consume valuable development resources. As legislation evolves and compliance becomes even more stringent, Meterian’s tools help healthcare companies stay ahead, ensuring they meet all regulatory requirements while securing user data against emerging threats.

A successful case study.

To see first – hand how Meterian is enhancing cybersecurity in the healthcare industry, we invite you to explore our success story with Emis Group. This case study provides a detailed look at how Emis leveraged Meterian’s cutting-edge solutions to fortify their application security, ensuring compliance with stringent regulations and protecting sensitive patient data.

Visit Meterian today!

Discover Meterian at CyberUK 2024

April 29, 2024April 30, 2024 bbossolacompliance, cyber-security, cybersecurity, CyberUK24, information-security, opensource, risk, SBOM, security, technologyLeave a comment

The UK government’s flagship cyber security event, CyberUK 2024. is just around the corner! Hosted by the National Cyber Security Centre (NCSC), this annual gathering brings together over 2,000 cyber security leaders and professionals for networking, knowledge exchange, and collaboration.

Deputy Prime Minister Oliver Dowden recently announced the theme for CYBERUK 2024 during a speech at techUK. The focus will be on how the cyber community can harness the societal benefits of emerging technologies while ensuring their security for the future. This theme is particularly relevant as we navigate the ever-evolving landscape of cyber threats and opportunities.

What to Expect

Networking and Learning: Over 2,000 cyber security experts will convene in Birmingham from May 13th to 15th. Attendees will have the opportunity to network, learn from world-leading experts, and collaborate on pressing challenges facing the global cyber community.
Expert Speakers: More than 100 expert speakers will share insights on the threat landscape, resilience, and cutting-edge developments. From employing AI in healthcare research to using quantum computers for climate change solutions, CYBERUK 2024 promises to explore exciting possibilities
Exhibitors and Sponsors: Meet 150+ sponsors and exhibitors, fostering collaboration, learning, and innovation. These partnerships are crucial for addressing cyber challenges across public and private sectors

Where to find us

We will be exhibiting at CyberUK 2024. Loved by SMEs and CNI, our secure-by-design agile approach to software development delights developers and compliance teams. Come and learn how Meterian protects the Open Source Software Supply Chain.

Visit us Stand IZ3 at the Birmingham ICC, May 13-15th.

Understanding the Importance of Software Composition Analysis in the Context of EU’s DORA Regulations

April 15, 2024April 16, 2024 bbossolacompliance, cybersecurity, meterian, vulnerabilitiesLeave a comment

The EU’s Digital Operational Resilience Act (DORA) represents a significant step towards ensuring that the financial sector can withstand and rapidly recover from ICT-related disruptions and threats. Among the wide variety of security testing tools and actions mandated by DORA, Software Composition Analysis (SCA) emerges as a critical component. Let’s explore why SCA is vital in this new regulatory landscape and how solutions like Meterian can be particularly beneficial.

What is Software Composition Analysis?

Software Composition Analysis (SCA) is a cybersecurity process that helps organizations identify and manage open source components within their software inventory. SCA tools scan software projects to detect open source libraries and frameworks, check the versions used, and compare them against databases of known vulnerabilities. Additionally, SCA assesses license compliance risks, ensuring that the open source licenses are compatible with corporate policies on software usage.

The Role of SCA Under DORA

The DORA framework emphasizes the need for a broad and adaptable approach to cybersecurity, recognizing the diverse nature of financial entities and their varying levels of ICT maturity. Here’s why SCA is integral to this approach.

Vulnerability Management
Financial entities utilize a plethora of software solutions, many of which rely on open-source components. SCA provides a systematic approach to detecting vulnerabilities in these components, some of which may be critical and widely exploited in the financial sector. By identifying these vulnerabilities early, financial institutions can patch them before they are exploited.

Compliance and Risk Management
DORA calls for rigorous compliance standards, including in areas like software licensing. SCA tools automatically detect the licenses of every component and alert teams about potential legal and operational risks, thus supporting compliance with DORA requirements.

Enhanced Operational Resilience
By integrating SCA into their cybersecurity practices, financial institutions can improve their operational resilience. Knowing exactly what is in their software reduces the time and resources spent on crisis management in the event of a security breach.

Supporting Advanced Testing Requirements
As entities mature, advanced testing such as Threat-Led Penetration Testing (TLPT) becomes viable. SCA ensures that the foundational elements of software security are addressed, which is critical for conducting more sophisticated, scenario-based tests effectively.

How Meterian Can Help

In the context of DORA, Meterian stands out as a valuable ally for financial institutions aiming to enhance their software security posture. Here’s how Meterian can specifically support compliance and resilience:

Continuous Security and Compliance Monitoring: Meterian continuously scans your software projects, providing real-time alerts on new vulnerabilities and compliance issues. This ongoing monitoring ensures that financial entities can respond promptly to emerging threats.
Automated Fix Suggestions: Beyond identifying issues, Meterian provides actionable insights and automated fix suggestions. This helps in quickly resolving vulnerabilities and license conflicts, significantly reducing the window of exposure.
Ease of Integration: Meterian’s platform can be seamlessly integrated into existing development workflows. This integration ensures that security and compliance checks occur throughout the software development life cycle, aligning with DORA’s emphasis on continuous improvement and adaptation.
Customizable Reporting: Meterian offers detailed, customizable reports that can assist financial entities in demonstrating their compliance with DORA regulations to regulators. These reports provide clear evidence of the proactive measures taken to ensure operational resilience.

By leveraging SCA tools like Meterian, financial institutions can not only meet the stringent requirements set forth by DORA but also significantly strengthen their cybersecurity frameworks. This proactive approach to software security is essential in a landscape where digital operations are increasingly integral to financial stability and success.

Understanding SBOMs: A Crucial Aspect of the EU Cyber Resilience Act (CRA)

March 15, 2024March 15, 2024 bbossolacompliance, cybersecurity, risk, SBOMLeave a comment

The EU Cyber Resilience Act

The European Union Cyber Resilience Act (CRA), which was proposed on September 15, 2022, is the first EU-wide legislation addressing cybersecurity requirements for software and hardware manufacturers. Unlike the U.S. Executive Order, the CRA extends to all vendors who create products with digital components that connect to the internet. It will become enforceable in early 2027, three years after its ratification.

SBOM Requirements of the CRA

One of its key requirements focuses on Software Bill of Materials (SBOMs). An SBOM is essentially a comprehensive inventory of all software components used in a product. It provides transparency by listing out the dependencies, libraries, and third-party code that make up a software application. Think of it as a “recipe” for your software – it tells you exactly what ingredients (components) are included.

The key points related to Software Bill of Materials (SBOM) requirements under the EU Cyber Resilience Act are:

Manufacturers must identify and document product components and vulnerabilities, including the creation of a SBOM of at least the top-level dependencies of the product
The SBOM does not have to be made publicly available
The SBOM should be included in the technical documentation and, upon request, provided to market surveillance authorities

The EU Cyber Resilience Act mandates SBOM adoption to enhance cybersecurity and ensure transparency in software and hardware supply chains. Manufacturers need to create SBOMs for their products, while public availability is not required.

Why SBOMs are essential

SBOMs are a sensible tool to manage your supply chain transparency. With the increasing complexity of software supply chains, understanding what goes into your product is crucial. SBOMs allow manufacturers to trace the origins of each component, identify vulnerabilities, and assess risks.

By having an SBOM, organisations can proactively address security vulnerabilities. When a known vulnerability is discovered in a library or component, manufacturers can quickly assess which products are affected and take necessary remediation steps.

They are also required for compliance and legal requirements. Specifically, the CRA mandates that manufacturers create SBOMs for their products. Compliance ensures that products meet cybersecurity standards and reduces legal risks.

Why SBOMs are complicated

Creating and maintaining Software Bill of Materials (SBOMs) is a time-consuming process due to the intricate nature of modern software. Applications are no longer simple; they consist of interconnected components, libraries, and dependencies. The prevalence of open-source software further complicates matters. Each component introduces its own set of dependencies, licences, and potential vulnerabilities. Identifying and tracking all these elements manually is a daunting task. Ensuring accuracy, compliance, and security within this complex landscape inevitably consumes significant time and effort.

That’s the reason why it’s a good idea to adopt an automated solution that takes this problem away.

Meterian: your automated SBOM solution

Using automated analysis, Meterian continuously scans your codebase, identifies the whole network of dependencies, and generates an SBOM automatically. No manual effort required, as SBOMS can be created and stored during the analysis, or later on demand. This will save a substantial amount of time to your developers, who can say goodbye to weeks of research at each release. Everything happens directly on your pipelines or at the touch of a button.

With the help of his powerful vulnerability scanner, Meterian provides you all relevant vulnerability Insights. The Meterian vulnerability database tracks more than 340k vulnerabilities across more than 20 different OSINT sources. You will also automatically receive real-time alerts about vulnerabilities in your components, even if you do not actively analyse them: Meterian will do it for you.

Meterian is easy to integrate in your processes, as it seamlessly integrates with your development pipelines, ensuring continuous monitoring without any extra activity. A simple click, some lines of YAML, one or two lines of script, is all it takes. You get protection against vulnerabilities and compliance at the same time, without any extra effort.

Conclusion

As the EU Cyber Resilience Act comes into effect, manufacturers are required to embrace SBOMs to ensure transparency, enhance risk management, and achieve compliance. The Meterian platform simplifies the generation of SBOMs, enabling you to concentrate on developing secure and resilient software.

Remember: An SBOM isn’t just a regulatory requirement; it’s a powerful tool for safeguarding your digital products. Start creating your SBOMs today!

Ship software without vulnerabilities.

Level up your confidence in open source dependencies

Menu

compliance