Introducing Helm

What is Helm?

Helm is a Software Bill of Materials (SBOM) and vulnerability management tool that enables you to have full visibility over your entire software supply chain, as well as to understand and mitigate your risk, as a vital part of your cybersecurity risk management plan. Helm enables you to simultaneously track many different versions of software running in the field, which is critical for medical devices that have long lifetimes, where the software is often infrequently or inconsistently updated. Learn more about how Helm helps you meet FDA cybersecurity expectations.

Specifically designed to address FDA cybersecurity guidelines

Helm provides a host of features specifically designed to address the cybersecurity guidelines of the FDA:

  1. Vulnerability management: Helm helps MDMs implement robust plans for addressing post-market vulnerabilities. With its proactive approach, Helm identifies and manages potential risks before they pose significant threats. In the event of a major vulnerability like log4j or wannacry, Helm can determine which devices could be impacted within seconds.

  2. Software Bill of Materials (SBOM): Helm supports SBOMs from open source software (OSS), commercial software composition analysis (SCA) tools, and even manually created SBOMs. All SBOMs are organized in an intuitive UI to ensure full transparency about all components used in your medical device software, in compliance with FDA guidelines.

  3. Industry specific frameworks: MedCrypt has developed a Cybersecurity Quality tool that provides an easy to follow template and model implementation of a Secure Product Development Framework (SPDF).

  4. Broad software, firmware, and OS awareness: Helm provides visibility into both open source software (OSS) and commercial third party software. It supports tracking operating systems (OS), including real-time operating systems (RTOS), ensuring you have a comprehensive view of your software ecosystem.

  5. Compliant SBOM maintenance: With Helm, you can be assured that your SBOMs meet both NTIA minimum requirements and the FDA’s cybersecurity requirements for human- and machine-readable formats.

Get started with Helm

You can upload an SBOM file, generate your SBOM from another file type, or create an SBOM manually. After you add your SBOM, Helm immediately begins to find matches from your software, which we call dependency components, matching the names you've provided for your software against known software in the National Vulnerability Database (NVD). If we find a match, you'll see a Matched status with matching tokens indicating how the match was made. If we find multiple exact matches, you can assess each match to determine which one fits your software. Refer to Matching statuses and rules for more information.

How do we identify matches in your SBOM to known software in the NVD?

In order to match the software in your SBOM to known software in the NVD, we normalize values (e.g, “windows10”, “windows_10”, and “win 10” will all be converted to the official value, such as Windows 10). If you see a status of Matched, that means that the dependency has an exact match in the NVD (once we have normalized values), including having an exact match on a CPE string, alias, dependency component name, or supported PURL package manager.

What matching sources do we use?

We leverage a number of sources, including CPE and PURL information you may have included in your SBOM file. We support the following Package URL (PURL) package managers: Cargo, NPM, NuGet, and PyPI. You and your team can also create aliases from your dependency component to particular known software in the NVD. These will be automatically matched going forward.

Understand your current vulnerability risk

Helm returns the Common Vulnerability Scoring System (CVSS) attributed to vulnerabilities (both CVSS 2.0 and 3.0). CVSS is a public framework for rating the severity of cybersecurity software vulnerabilities, ensuring that manufacturers are consistent in their scoring methodology. These scores are calculated using a formula of Base, Temporal, and Environmental factors to assess the exploitability of a vulnerability. Scores range from 0 to 10, with 0 being least severe, while 10 is most severe. Refer to What scoring system does Helm use for vulnerabilities? section for more information on how we use CVSS, and to and NIST for more detailed information on CVSS, in particular.

Monitoring new vulnerabilities

Helm facilitates continuous monitoring for new vulnerabilities, highlighting those with available exploits or malware kits. It also suggests Windows KB updates for resolution (specific to Windows operating systems) and provides updates from the National Vulnerability Database (NVD).

Rescore vulnerabilities individually or in bulk

You can create rescore profiles to rescore the CVSS 3.x score for all vulnerabilities across a product version. You can also rescore individual vulnerabilities. As you assess and set these metrics, you'll see the rescored value and CVSS vector string updating accordingly.

Monitor your overall security posture

Our dashboard provides a high-level overview of all of your products and vulnerabilities. Keep track of how many products and versions you have and how many have SBOMs. You can view total dependency components and vulnerabilities across products or per product, as well as zeroing in on critical vulnerabilities and those that have not yet been remediated. You can also view your top 5 impacted products and most vulnerable dependency components.

Stay on top of new vulnerabilities

Never get caught unawares with our vulnerability email notification system. You can get daily, weekly, or monthly email digests.

Search vulnerabilities and dependency components across your products

After creating your SBOM, you can quickly check on whether a particular vulnerability impacts your software supply chain, then jump to impacted products. You can also check which of your products contain a particular dependency component, such as the Windows 10 operating system, then assess which vulnerabilities impact that dependency component.

Search vulnerabilities for a particular CVSS score range across your products

You can search vulnerabilities with CVSS scores that include or exceed a particular value, enabling you to focus on mitigating your most critical vulnerabilities first.

Patch Windows operating systems

For any products you have that are running a Windows operating system, you can apply Windows KBs to each of your product versions. For any vulnerabilities associated with a Windows operating system, you'll see suggested KB updates that you can apply to resolve each vulnerability. Alternately, you can collect the KB updates to create tickets for your team to address for your next release. You can also track which KBs have been applied to your digital version of your physical test device, so you can keep these in sync.

Export vulnerabilities

Helm provides two ways to export vulnerabilities. You can either export all of your known vulnerabilities to a CSV file, or you can export your entire enhanced SBOM, including vulnerabilities, to a CycloneDX SBOM file in JSON format.

Last updated

© Copyright MedCrypt 2023, All rights reserved.