Cybersecurity Bill
of Materials

firmware components identification and safety assessment

Cybersecurity Bill
of Materials

firmware components identification and safety assessment

Challenges

In today’s world, where malware, ransomware, botnets appear overnight and during the week are able to paralyze the work of hospitals, offices and factories around the world: the question is how much we are able to trust software and hardware manufacturers in terms of their security solutions? As practice shows, most attacks are carried out using vulnerabilities in open source components that are not updated frequently, and using vulnerabilities in the ICT device firmware, IoT and OT.

8%

enterprises are aware and prepared to fight off attacks related to firmware vulnerabilities

50%

companies that emphasize the security of the equipment they use have reported at least one incident related to the infected firmware

70%

at least that many companies do not pay attention to the security of the equipment and are considered unprepared for any attacks from the side of the infected firmware

HOW CAN WE HELP YOU?

Based on the source code, firmware or just the device itself, we determine the third-party software components used in it, along with their versions and existing vulnerabilities. We will evaluate and audit the security of closed, i.e. non-public, software components implemented by the application or device manufacturer. The analysis will show if you can feel safe using the device in your infrastructure or installing applications on a desktop or smartphone. After finding the vulnerability, we will help in discussions with the manufacturer of the solution to prepare the appropriate security patch and present suggestions for corrective methods.

Cybersecurity Bill of Materials is a list of all used software components together with their versions, which make up the final product, application or device firmware.

If you provide us with:

source code – we will analyze your build system along with configuration files, carry out a security audit using static and dynamic analysis methods, and carry out manual analysis,

device firmware – using reverse engineering techniques we will restore the contents of the file system, decompile executable files and libraries, check configuration files, used software components and their versions. We will conduct an audit with an emphasis on proprietary software components introduced by the device manufacturer. We will also check the firmware for backdoors, undocumented users or stitched sensitive data (private and cryptographic keys),

device – our work will consist in decomposing the device, obtaining data from non-volatile memory and bypassing the protections against reverse engineering used. As part of the audit, we will perform the device firmware and source code analysis described above.

KEY BENEFITS

Reducing the risk of a potential cyber attack by:

building and managing a knowledge base regarding components used in the software

component identification along with versions and existing vulnerabilities

ensuring compliance of the libraries used with the license conditions

identification of code fragments copied from open source sources

knowingly making decisions regarding software updates or forcing the software manufacturer to prepare updates

the ability to monitor components for emerging vulnerabilities

Contact us - we will prepare an offer

Read more

Articles connected to Cybersecurity Bill of Materials:

Bug Bounty for reporting vulnerability in a network device’s firmware of one of leading producers
CVE-2019-14220: Local arbitrary file read in BlueStacks