A Joint Solution for Effective Vulnerability Management in Software-Defined Vehicles
DUESSELDORF – We are excited to introduce a joint solution involving ONEKEY and ESCRYPT CycurRISK that addresses the pain points faced by the automotive industry when it comes to vulnerability management in software-defined vehicles. ESCRYPT CycurRISK is a software tool for threat analysis and risk assessment from ETAS, the market leader for embedded automotive cybersecurity solutions.
Under the UN R 155 regulation, OEMs are required to monitor, detect, and respond to vulnerabilities in their vehicles. However, effective vulnerability monitoring can be challenging due to the need to identify the software components and versions running on each vehicle. Maintaining this information in a software bill of materials (SBOM) can be a complex task. Additionally, vulnerability scanning often generates a long list of potentially relevant findings, making it difficult for developers to prioritize and address them.
To alleviate these pain points, we present our joint solution: ONEKEY provides a platform to manage and validate SBOMs, as well as detect and auto-prioritize vulnerabilities. It enables automated generation of a list of software components (SBOM) from a binary, without requiring access to the source code. Further, known vulnerabilities (CVEs) and unknown vulnerabilities (Zero-Days) will be identified and prioritized in minutes. On the other hand, ESCRYPT CycurRISK supports the creation and maintenance of Threat Analyses and Risk Assessments (TARAs). Analysts can capture valuable context information about the analyzed functionality or component, enabling them to assess the impact of potential attacks on assets in a given context. The information from ESCRYPT CycurRISK is then used to prioritize the most critical vulnerabilities in the software.
With this joint solution, the large number of identified vulnerabilities becomes more manageable. Developers receive a filtered and prioritized list of vulnerabilities, allowing them to focus on improving the software in the areas that matter most.
Looking ahead, we are excited to announce further upcoming topics. Firstly, we will explore the extended use case of feedback information from vulnerability management back into the TARA, ensuring that the risk assessment remains current. Secondly, we will aim to create an extended eco system by closely interweaving other ETAS cybersecurity products and solutions, such as ESCRYPT CycurGUARD and ESCRYPT CycurFUZZ, to further enhance the efficiency and effectiveness of vulnerability management in software-defined vehicles.
Stay tuned for more updates on these exciting developments!
Learn more: ESCRYPT CycurRISK – ESCRYPT Cybersecurity Products – ETAS
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Further information: ONEKEY GmbH,
Sara Fortmann, E-Mail: sara.fortmann@onekey.com,
Kaiserswerther Strasse 45, 40477 Duesseldorf, Germany,
Web: www.onekey.com