News from the Wire

Software bills of materials are the new security passport

Tuesday, November 04, 2025 — 17:37:50 (UTC)

Düsseldorf, November 4, 2025 – The EU Cyber Resilience Act (CRA) stipulates that, in future, manufacturers and distributors of digital products with an internet connection must provide a Software Bill of Materials (SBOM). This will help to identify potential software vulnerabilities that could be exploited by hackers so that they can be remedied in a timely manner.

The CRA therefore requires a detailed list of all programs, libraries, frameworks, and dependencies for networked devices, machines, and systems, without exception, including the exact version numbers of the individual components, information on the respective licenses, details of the authors, and an overview of all known vulnerabilities and security gaps. Many manufacturers struggle to meet these requirements, mainly because they do not receive complete information from their suppliers.

For this reason, many SBOMS are incomplete, outdated, or lack context regarding vulnerabilities. These incomplete and sometimes outdated Software Bills Of Materials are unusable for the mandatory documentation requirements imposed on manufacturers by EU regulations.

SBOM as the New Security Passport

The Düsseldorf-based cybersecurity company ONEKEY has now added a new feature to its platform that checks device software (firmware) for security vulnerabilities and enables the generation of so-called enriched SBOMs. These expanded Software Bills Of Materials contain all relevant information about vulnerabilities. The SBOMs generated in this way fully meet all industry requirements. As well as containing the vulnerabilities with risk classification, they also provide evidence and justifications in a single, easy-to-use file.

“This transforms the SBOM from a mere bill of materials into a kind of security passport with integrated risk assessment,” explained Jan Wendenburg, CEO of ONEKEY. He knows from many discussions with manufacturers: “The often complex supply chains and the frequent lack of understanding of EU-specific regulations among suppliers outside the European Union make it difficult to comply with the requirements of the Cyber Resilience Act.” According to ONEKEY, the new functionality is a significant step towards overcoming this hurdle.

Beyond Detection: Comprehensive Vulnerability Management

This latest feature forms part of an initiative to expand the ONEKEY platform, providing even better support for comprehensive software security vulnerability management. Until now, the platform has primarily focused on the detection of software vulnerabilities. “Identifying deficiencies is only the first step,” says Jan Wendenburg, “now we are taking further steps to relieve manufacturers as much as possible of time-consuming manual tasks and help them achieve CRA compliance.”

Automated workflows, contextual assessments, and audit-ready documentation will enable security and compliance teams to respond more quickly and act in a regulatory-compliant manner. “By enabling the platform to take on more and more routine tasks, we are giving specialists more time to focus on their most important task: maximizing the security of their devices, machines, and systems,” says Jan Wendenburg, says Jan Wendenburg, outlining the company’s strategy.

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.

Further information: ONEKEY GmbH, Sara Fortmann, email: sara.fortmann@onekey.com, Toulouser Allee 19A, 40211 Düsseldorf, Germany, web: onekey.com

PR Agency: euromarcom public relations GmbH, Mühlhohle 2, 65205 Wiesbaden, Germany, email: team@euromarcom.de, web: www.euromarcom.de

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Reports and research