From SBOM to Vulnerability Management: Crawl, Walk, Run

Do you know whether your devices are affected by the latest bluetooth vulnerability du jour? Are your product security teams so stretched and need more efficient processes to ease the burden, but don’t know where to start?Are you flooded with vulnerability information but finding it hard to prioritize and make it useful? You can take meaningful steps today, no matter the maturity of your current vulnerability management program.

Where to start? We outline suggestions to help you move from a crawl to a walk or from a walk to a run.

Before taking the next step, define objectives: What is the business value of your SBOM project?

As with all major undertakings, an improvement project needs to have clear and measurable objectives. Your project could be aimed toward reducing vulnerability blindspots, decreasing level of effort per vulnerability disposition, capturing knowledge, responding to customer risk questionnaires more rapidly, or all of the above. Pick one or more business objectives to align efforts and measure ROI of your project.

Crawl Characteristics:

Ad hoc response to customer or regulatory queries about vulnerabilities in a shipped product. A new vulnerability is published by a security researcher. A security engineer raises an alarm about a new vulnerability. Awareness that the ad hoc processes are not going to be sustainable. There’s no proactive generation of SBOMs or they’re not in a machine-readable format.

Steps to improve:

Identify, document, and assess the business risks of the current ad hoc process, perhaps by running a tabletop exercise and sharing results across product teams. Identify the biggest gaps and low-hanging fruit (e.g., start producing simple SBOMs, make a template for vulnerability disposition and store it in a central, accessible location) and tackle those first. Educate stakeholders on the gaps.

Walk Characteristics:

Moving from responding to a single vulnerability/incident ad hoc, to establishing, operating, and improving processes and tooling. Visibility into the vulnerabilities affecting all product dependencies is problematic — a single vulnerability may affect all/many devices/systems deployed in the fieldas well as under development differently — each needing an individual product-specific disposition.

Steps to improve:

Dive into the hard work of proactively identifying and assessing/disposing of these vulnerabilities as part of the product development lifecycle. The volume of data and stakeholder engagement needed for this is far too resource-intensive to do manually, ad hoc. Leverage workflows and tools, such as MedCrypt’s Heimdall, to help track SBOM versions, match known vulnerabilities to SBOMs, and aid in knowledge-preserving resolution management. Ask organization-level strategic questions, like whether a federated or a centralized vulnerability management program model will work best for your company.

Run Characteristics:

“Running” with vulnerability management requires a more integrated (i.e., during the full life cycle from R&D to sunset) and fully proactive approach. Continuously identifying vulnerabilities and making architectural choices before building a product, continuously managing known vulnerabilities, and optimizing tooling with associated processes to streamline or even automate vulnerability management across relevant stakeholders (including regulators and customers).

Steps to improve:

Embed vulnerability management tools and processes in your company’s existing systems. Measure the speed and quality of vulnerability management, and use those metrics to identify opportunities to optimize. Save time and money by automating SBOM generation and vulnerability matching, standardizing assessment and mitigation actions, and increase transparency for your customers through continuous vulnerability management and patch integration tools.

Wrapping Up

Vulnerability management and SBOMs can be difficult and time-consuming, but there are opportunities for improvement, better business value, and ROI at every stage of maturity. The dozens of low level, pervasive vulnerabilities that have impacted medical devices in recent years (think: Urgent/11) demonstrate that all companies need to be prepared. There are enough incentives (including President Biden’s executive order and FDA’s increased scrutiny on vulnerability management), that the time to mature your programs is now.

Need help with SBOMs and vulnerability management? MedCrypt offers services to support SBOM and vulnerability management improvement projects at all stages of maturity. Email shannon@medcrypt.co, visit medcrypt.com/heimdall, and register for the cybersecurity maturity webinar here.