In the USA alone, 14,286 CVEs have been published on the National Institute of Standards and Technology website so far in 2024. These "Common Vulnerabilities and Exposures (CVEs)" denote security vulnerabilities and other weaknesses in computer systems that can enable a hacker to launch an attack. Under the upcoming EU legislation, the Cyber Resilience Act (CRA), devices will soon no longer be allowed to be delivered with known exploitable vulnerabilities. If known and exploitable vulnerabilities do occur, manufacturers, sellers, or importers as companies and the entire management will be liable. When it comes to cyber resilience, it is clear for the future under the Cyber Resilience Act legislation that customers – in both the private and industrial sectors – have an effective claim to secure software. However, the race to discover vulnerabilities first continues: Companies are therefore well advised to introduce both efficient CVE detection and an impact assessment now in order to better scrutinize their own products and to arm themselves against serious consequences of vulnerability scenarios. "The CRA requires all manufacturers to conduct mandatory checks, monitoring, and documentation of product cybersecurity, including checking for unknown vulnerabilities, so-called 'zero-days'," says Jan Wendenburg, CEO of ONEKEY, a company specializing in cybersecurity based in Düsseldorf.
The term zero-day refers to newly discovered security vulnerabilities that hackers can exploit, and it refers to "zero days" that a manufacturer or developer has to fix the flaw. Many manufacturers or distributors have insufficient knowledge of the potential vulnerabilities of their own products, which can also be hidden, for example, in industrial control systems within components with their own firmware from suppliers. In general, hardware and firmware, as well as all Internet of Things (IoT) devices, can be affected by such vulnerabilities. With the ONEKEY Compliance Wizard, the cybersecurity experts at ONEKEY offer a comprehensive cybersecurity assessment of products with digital elements. By combining automatic vulnerability detection, CVE prioritization, and filtering with a holistic, interactive compliance questionnaire, the effort and costs of cybersecurity compliance processes are significantly reduced, and the risk of impending fines is minimized. "Anyone who doesn't want to be at the front of the line for fines when the CRA starts on time needs to create processes now to analyze and patch their own risks," advises Jan Wendenburg from ONEKEY.
