In an increasingly digitalized world, software is becoming more and more complex. Applications consist of numerous libraries and dependencies that can harbor security risks. The Cyber Resilience Act (CRA) requires companies to make their entire software supply chain transparent and secure. SBOMs, CVEs and CWEs form the basis for modern vulnerability management, but how is it all connected and why is it crucial for companies?
A software bill of materials (SBOM) lists all software components and thus creates transparency. On its own, however, it does not provide any indications of security vulnerabilities. It only becomes an effective vulnerability management tool when compared with vulnerability databases such as the National Vulnerability Database (NVD) or the planned EU Vulnerability Database (EUVD).
A CVE (Common Vulnerabilities and Exposures) is a unique identification number for a specific vulnerability, while a CWE (Common Weakness Enumeration) describes a type of vulnerability and outlines the technical causes of security problems. Together, these tools enable systematic detection, prioritization and remediation of vulnerabilities.
The Log4Shell vulnerability in the Apache Log4j library has shown how critical an opaque supply chain is. Many organizations were using Log4j indirectly via transitive dependencies without knowing it. Without an SBOM, it was unclear which systems were affected and it was difficult to find out whether their own software was also affected. An SBOM would have created transparency and enabled targeted action.
In future, the Cyber Resilience Act will require manufacturers and suppliers to create an SBOM for their product and introduce a vulnerability management process. Companies that are compliant at an early stage will benefit from greater customer trust, competitive advantages and lower cybersecurity risks.
Investing in security and compliance makes economic sense in the long term. Those who monitor their software supply chain today, have good vulnerability management and adapt to the requirements of the CRA will ensure the future viability of their products.
This blog was created as part of our work on the European research project CRACoWI (Cyber Resilience Act Compliance Wizard).
The aim of the project is to support companies, especially SMEs, with digital tools to implement the EU Cyber Resilience Act.
