Eracent supports the broader Supply Chain Risk Management process by orchestrating several specific functions:
- Application Risk Management to understand the underlying risk of installed applications using state of the art SBOM Analysis
- End Point Discovery and End Point Analysis to continuously identify vulnerabilities and lifecycle issues related to systems and installed applications
- Product Data Enrichment to deliver unparalleled and updated information related to the most critical resources, applications, and systems
- Lifecycle Management to proactively ensure that both hardware and installed software remain supported and able to receive patches and updates.
Get your free SBOM Analysis and Management white paper today!
Download the “Application Risk Management: Enhanced Software Security through SBOM Analysis” white paper from Eracent.
Manage Your Application Risk with Eracent’s SBOM Analysis
The vast majority of commercial and custom applications contain open source code. Typical vulnerability analysis tools do not inspect individual open source components within applications, although any one of these components may contain vulnerabilities or obsolete code that can put you at risk. This was clearly demonstrated with the Log4j vulnerability that enabled the massive cybersecurity attack that spread to SolarWinds customers in 2020.
In response to ongoing breaches, many of which target the U.S. supply chain, President Biden issued Executive Order 14028 in May 2021. This order defines security measures that must be followed by any software publisher or developer that does business with the federal government.
Additionally, in December 2022, the signing of Section 3305 of the Consolidated Appropriations Act of 2023 authorizes the Food and Drug Administration (FDA) to establish cybersecurity standards for medical devices.
In Europe, The Network and Information Security (NIS) Directive established EU-wide legislation on cybersecurity. The subsequent NIS2 agreement, put into force in January 2023, obligates more entities and sectors to take measures to increasing the level of cybersecurity in Europe in the longer term.
The Digital Operational Resilience Act (DORA) [Regulation (EU) 2022/2554] also defines uniform requirements concerning the security and risk management of network and information systems in the financial industry.
The Software Bill of Materials (SBOM)
One of these measures includes providing a Software Bill of Materials – or SBOM – which lists a complete inventory of components that make up a software application. SBOMs follow National Institute of Standards and Technology (NIST) guidelines for consistent content as well as approved human- and machine-readable file formats: SPDX, CycloneDX and SWID.
SBOMs typically contain the following information about applications:
- Open source code
- Proprietary code
- Associated licenses
- Versions in use
- Download locations for components
- Dependencies
- • Sub-dependencies that the dependencies link to.
Mitigating Risk
Eracent’s ICSP Application Risk Management module provides an additional, critical level of protection to minimize software-based security risks. The toolset reads the content of SBOMs and matches each listed component to the most currently available vulnerability data, which is constantly updated in Eracent’s IT-Pedia® IT Product Data Library. This process provides instant visibility into any component-level vulnerabilities that need to be mitigated. It also identifies obsolete code that has not been updated recently and may pose a security risk.
Fortify your organization’s security with the additional level of protection provided by SBOM analysis. To learn more about the process and see a demo of the ICSP Application Risk Management module, contact Eracent today.