Comment on page
Helm is a Software Bill of Materials (SBOM) and vulnerability management tool that enables you to have full visibility over your entire software supply chain, as well as to understand and mitigate your risk, as a vital part of your cybersecurity risk management plan. Helm enables you to simultaneously track many different versions of software running in the field, which is critical for medical devices that have long lifetimes, where the software is often infrequently or inconsistently updated. Learn more about how Helm helps you meet FDA cybersecurity expectations.
Helm provides a host of features specifically designed to address the cybersecurity guidelines of the FDA:
- 1.Vulnerability management: Helm helps MDMs implement robust plans for addressing post-market vulnerabilities. With its proactive approach, Helm identifies and manages potential risks before they pose significant threats. In the event of a major vulnerability like log4j or wannacry, Helm can determine which devices could be impacted within seconds.
- 2.Software Bill of Materials (SBOM): Helm supports SBOMs from open source software (OSS), commercial software composition analysis (SCA) tools, and even manually created SBOMs. All SBOMs are organized in an intuitive UI to ensure full transparency about all components used in your medical device software, in compliance with FDA guidelines.
- 3.Industry specific frameworks: MedCrypt has developed a Cybersecurity Quality tool that provides an easy to follow template and model implementation of a Secure Product Development Framework (SPDF).
- 4.Broad software, firmware, and OS awareness: Helm provides visibility into both open source software (OSS) and commercial third party software. It supports tracking operating systems (OS), including real-time operating systems (RTOS), ensuring you have a comprehensive view of your software ecosystem.
- 5.Compliant SBOM maintenance: With Helm, you can be assured that your SBOMs meet both NTIA minimum requirements and the FDA’s cybersecurity requirements for human- and machine-readable formats.
You can upload an SBOM file, generate your SBOM from another file type, or create an SBOM manually. After you add your SBOM, Helm immediately begins to find matches from your software, which we call dependency components, matching the names you've provided for your software against known software in the National Vulnerability Database (NVD). If we find a match, you'll see a Matched status with matching tokens indicating how the match was made. If we find multiple exact matches, you can assess each match to determine which one fits your software. Refer to Matching statuses and rules for more information.
In order to match the software in your SBOM to known software in the NVD, we normalize values (e.g, “windows10”, “windows_10”, and “win 10” will all be converted to the official value, such as Windows 10). If you see a status of Matched, that means that the dependency has an exact match in the NVD (once we have normalized values), including having an exact match on a CPE string, alias, dependency component name, or supported PURL package manager.
We leverage a number of sources, including CPE and PURL information you may have included in your SBOM file. We support the following Package URL (PURL) package managers: Cargo, NPM, NuGet, and PyPI. You and your team can also create aliases from your dependency component to particular known software in the NVD. These will be automatically matched going forward.
Helm returns the Common Vulnerability Scoring System (CVSS) attributed to vulnerabilities (both CVSS 2.0 and 3.0). CVSS is a public framework for rating the severity of cybersecurity software vulnerabilities, ensuring that manufacturers are consistent in their scoring methodology. These scores are calculated using a formula of Base, Temporal, and Environmental factors to assess the exploitability of a vulnerability. Scores range from 0 to 10, with 0 being least severe, while 10 is most severe. Refer to What scoring system does Helm use for vulnerabilities? section for more information on how we use CVSS, and to first.org and NIST for more detailed information on CVSS, in particular.
You can create rescore profiles to rescore the CVSS 3.x score for all vulnerabilities across a product version. You can also rescore individual vulnerabilities. As you assess and set these metrics, you'll see the rescored value and CVSS vector string updating accordingly.
Our dashboard provides a high-level overview of all of your products and vulnerabilities. You can view your top 5 impacted products and top 5 most vulnerable dependency components. You can also filter to vulnerabilities within a particular date range.
After creating your SBOM, you can quickly check on whether a particular vulnerability impacts your software supply chain, then jump to impacted products. You can also check which of your products contain a particular dependency component, such as the Windows 10 operating system, then assess which vulnerabilities impact that dependency component.
For any products you have that are running a Windows operating system, you can apply Windows KBs to each of your product versions. For any vulnerabilities associated with a Windows operating system, you'll see suggested KB updates that you can apply to resolve each vulnerability. Alternately, you can collect the KB updates to create tickets for your team to address for your next release. You can also track which KBs have been applied to your digital version of your physical test device, so you can keep these in sync.
Helm provides two ways to export vulnerabilities. You can either export all of your known vulnerabilities to a CSV file, or you can export your entire enhanced SBOM, including vulnerabilities, to a CycloneDX SBOM file in JSON format.