Introducing Helm
Last updated
Last updated
© Copyright MedCrypt 2024, All rights reserved.
Helm is a comprehensive Software Bill of Materials (SBOM) and vulnerability management tool designed to give you full visibility over your software supply chain and help you manage cybersecurity risks effectively. Helm is designed especially for medical device manufacturers (MDM) to effectively identify and remediate medical device risk, which often have long lifespans and infrequent updates. It enables you to track multiple software versions across devices, ensuring compliance with FDA cybersecurity guidelines. Learn more about how Helm helps you meet FDA cybersecurity expectations.
Helm provides a host of features specifically designed to address the cybersecurity guidelines of the FDA:
Vulnerability management: Helm helps MDMs implement robust plans for addressing post-market vulnerabilities. With its proactive approach, Helm identifies and manages potential risks before they pose significant threats. In the event of a major vulnerability like Log4j or Wannacry, Helm can determine which devices could be impacted within seconds.
Software Bill of Materials (SBOM): Helm supports SBOMs from open source software (OSS), commercial software composition analysis (SCA) tools, and even manually created SBOMs. All SBOMs are organized in an intuitive UI to ensure full transparency about all components used in your medical device software, in compliance with FDA guidelines.
Industry specific frameworks: MedCrypt has developed a Cybersecurity Quality tool that provides an easy to follow template and model implementation of a Secure Product Development Framework (SPDF).
Broad software, firmware, and OS awareness: Helm provides visibility into both open source software (OSS) and commercial third party software. It supports tracking operating systems (OS), including real-time operating systems (RTOS), ensuring you have a comprehensive view of your software ecosystem.
Compliant SBOM maintenance: With Helm, you can be assured that your SBOMs meet both NTIA minimum requirements and the FDA’s cybersecurity requirements for human- and machine-readable formats.
You can upload an SBOM file, generate your CycloneDX SBOM or SPDX SBOM, or create an SBOM manually. After you add your SBOM, Helm immediately begins to find matches from your software, which we call dependency components, matching the names you've provided for your software against known software in the National Vulnerability Database (NVD). If we find a match, you'll see a Matched status with matching badges indicating how the match was made. If we find multiple matches, you can assess each match to determine which one fits your software. Refer to Resolve match statuses for more information.
In order to match the software in your SBOM to known software in the NVD, we normalize values (e.g, “windows10”, “windows_10”, and “win 10” will all be converted to the official value, such as Windows 10). If you see a status of Matched, that means that the dependency has an exact match in the NVD (once we have normalized values), including having an exact match on a CPE string, alias, dependency component name, or supported PURL package manager.
We leverage a number of sources, including CPE and PURL information you may have included in your SBOM file. We support several Package URL (PURL) package managers, including Cargo, NPM, NuGet, and PyPI. You and your team can also create aliases from your dependency component to particular known software in the NVD. These will be automatically matched going forward.
Helm returns the Common Vulnerability Scoring System (CVSS) attributed to vulnerabilities (both CVSS 2.0 and 3.0). CVSS is a public framework for rating the severity of cybersecurity software vulnerabilities, ensuring that manufacturers are consistent in their scoring methodology. These scores are calculated using a formula of Base, Temporal, and Environmental factors to assess the exploitability of a vulnerability. Scores range from 0 to 10, with 0 being least severe, while 10 is most severe. Refer to What scoring system does Helm use for vulnerabilities? section for more information on how we use CVSS, and to first.org and NIST for more detailed information on CVSS, in particular.
Helm facilitates continuous monitoring for new vulnerabilities, highlighting those with available exploits or malware kits. It also suggests Windows KB updates for resolution (specific to Windows operating systems) and provides updates from the National Vulnerability Database (NVD).
You can create rescore profiles to rescore the CVSS 3.x score for all vulnerabilities across a product version. You can also rescore individual vulnerabilities. As you assess and set these metrics, you'll see the rescored value and CVSS vector string updating accordingly.
Our dashboard provides a high-level overview of all of your products and vulnerabilities. Keep track of how many products and versions you have and how many have SBOMs. You can view total dependency components and vulnerabilities across products or per product, as well as zeroing in on critical vulnerabilities and those that have not yet been remediated. You can also view your top 5 impacted products and most vulnerable dependency components.
Never get caught unawares with our vulnerability email notification system. You can get daily, weekly, or monthly email digests.
After creating your SBOM, you can quickly check on whether a particular vulnerability impacts your software supply chain, then jump to impacted products. You can also check which of your products contain a particular dependency component, such as the Windows 10 operating system, then assess which vulnerabilities impact that dependency component.
You can search vulnerabilities with CVSS scores that include or exceed a particular value, enabling you to focus on mitigating your most critical vulnerabilities first.
For any products you have that are running a Windows operating system, you can apply Windows KBs to each of your product versions. For any vulnerabilities associated with a Windows operating system, you'll see suggested KB updates that you can apply to resolve each vulnerability. Alternately, you can collect the KB updates to create tickets for your team to address for your next release. You can also track which KBs have been applied to your digital version of your physical test device, so you can keep these in sync.
Helm supports the ingestion of licensing information from CycloneDX and SPDX SBOMs, and enriches this information via our partnership integration with Tidelift. You can also manually enter or modify license details as needed. For each dependency component, you can view its details or manually modify it to add licensing information. All licensing information displays in the License details section of the dependency component details panel.
Get the Medcrypt advantage with the only FDA expert-crafted SBOM that ensures you meet FDA SBOM requirements. We also provide a suite of other reports including VEX and VDR to enable you to export exactly what you need to meet regulatory requirements.
Helm provides two ways to export vulnerabilities. You can either export all of your known vulnerabilities to a CSV file, or you can export your enriched SBOM, including vulnerabilities, to a CycloneDX or SPDX JSON file.