There were 133 press releases posted in the last 24 hours and 451,399 in the last 365 days.

Automated Software Product Vulnerability Reporting in SAG-PM™

SAG Logo

Software consumers want to know, before purchasing or installing software, “What is the vulnerability status NOW for each SBOM component in the product?”

REA customers can rest assured knowing that SAG-PM™ has been designed to rapidly adapt and evolve in this ever-changing world of cybersecurity to protect customers from new software attack methods”
— Joanne Brooks, REA Co-Founder
WESTFIELD, MA, USA, March 9, 2022 / -- Software consumers want to know, before purchasing or installing a software product, “What is the vulnerability status NOW for each SBOM component in the product?” This information gives software consumers advanced warning of any potential vulnerabilities that could be installed in a digital ecosystem, before any attempt to procure or install software. This could save a company from business disruptions caused by a ransomware attacks or other risks that can enter the business through software.

Today, Reliable Energy Analytics (REA ™) announces SAG-PM™ support for two automated, open-source vulnerability reporting formats that answer the question above, similar to the way a CARFAX report operates, providing the current, real-time vulnerability status of a software product on an on-going basis. The two reporting methods differ in their approach, but both satisfy the software vulnerability reporting requirements for Executive Order 14028 and NIST SP 800-161 Appendix F.

The open-source OWASP CycloneDX VEX (CDXVEX) disclosure report uses an implicit disclosure model and the open-source REA SBOM Vulnerability Disclosure Report (SBOM VDR) uses an explicit disclosure model. Both CDXVEX and SBOM VDR can report on known software vulnerabilities from the NIST National Vulnerability Database (NVD) that are reported at an SBOM component level for a specific SBOM artifact to satisfy Executive Order 14028 vulnerability reporting requirements. During procurement negotiations a software consumer can specify the SBOM format and vulnerability disclosure report format that is expected from a software vendor throughout the contract lifetime.

The main difference between the SBOM VDR and CDXVEX reporting formats is that CDXVEX reports on only those software components that have known, reported vulnerabilities, using an implicit model where components that have no vulnerabilities are not listed in a CDXVEX report. SBOM VDR reports on the vulnerability status of each software component listed in an SBOM, including those components that have no reported vulnerabilities, using an explicit model showing the vulnerability search result status of each SBOM component.

SAG-PM™ can process both CDXVEX and SBOM VDR vulnerability reporting formats as part of a patent pending software risk assessment process following NIST SP 800-161 Appendix F and NIST Secure Software Development Framework guidelines, released on February 4, 2022. SAG-PM produces 13 evidence files during a risk assessment process, which includes the software vulnerability disclosure report provided by a software vendor. This evidence data is stored for safe keeping and may be used during an audit event or during forensic analysis, in the event of a cyber-attack.

The SAG-PM™ software implements a “best of breed” architecture which enables REA to implement the very best technologies and methods available, within each risk assessment step, providing REA customers with the highest quality risk assessment solution available to meet Executive Order 14028 software supply chain risk management requirements and best practices. The CDXVEX format was announced along with CycloneDX SBOM version 1.4 in January, 2022. The rapid support for CDXVEX within SAG-PM™ is proof of the speed with which SAG-PM™ can be updated to support new methods, due to the use of a modular “best of breed” architectural design. REA customers can rest assured knowing that SAG-PM™ has been designed to adapt and evolve in this rapid, ever-changing world of cybersecurity.

Never trust software, always verify and report! ™

Dick Brooks
Reliable Energy Analytics LLC
+1 978-696-1788
email us here