Vulnerability Management
Manual for the vulnerability management using Ketryx Software Supply Chain Management
1. Introduction
Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. The process is a continuous cycle of discovery, prioritization, and remediation. Vulnerability management is integral to computer security and network security.
When developing medical devices following IEC 62304, vulnerability management becomes even more crucial. Medical devices often rely on Software of Unknown Provenance (SOUP) and Off-the-shelf (OTS) software components and dependencies, making them vulnerable to security risks. Proper vulnerability management ensures that potential vulnerabilities are identified and addressed, reducing the risk of security breaches and ensuring the safety and effectiveness of the medical devices.
Ketryx Software Supply Chain Management offers a vulnerability management module designed to assist users in monitoring vulnerabilities within their software supply chain. This module presents a centralized view of all vulnerabilities in the software supply chain, aiding users in prioritizing and remedying them.
1.1. Purpose
The purpose of this document instruct users on how to use the Vulnerability management module in Ketryx Software Supply Chain Management to manage vulnerabilities in the software supply chain.
1.2. Scope
This document describes the features and functionality of the Vulnerability management module in Ketryx Software Supply Chain Management.
2. Terms and definitions
The definitions of this document conform to the ones of ISO/IEC 27001, ANSI/AAMI SW96:2023, and AAMI TIR57:2016/(R)2019.
3. Project setup
To use the Vulnerability management module, you need to have a project set up in Ketryx Software Supply Chain Management. If you don't have a project set up, follow the instructions in MAN-03, section 3.
Once you have a project set up, you can start using the Vulnerability management module. The module is available in the SBOM > Vulnerabilities section of the project.
4. Manage vulnerabilities
The Manage vulnerabilities (available in the SBOM > Vulnerabilities section of the project) screen displays a list of all identified vulnerabilities in the software supply chain of the project. It is also possible to create, edit, and manage vulnerability impact assessments on this screen.
If the project contains transitive dependencies, the vulnerabilities of the transitive dependencies are also displayed. The vulnerabilities of the transitive dependencies can be expanded to view more information. For transitive dependency support, please refer to MAN-03, section 12 as well as the manual on Working with SPDX.
The vulnerabilities list displays the following information for each identified vulnerability:
Title: The title of the vulnerability. Below the title, the vulnerable SOUP or OTS component is displayed. Clicking on the SOUP/OTS component will take you to the detail screen, where you can view more information about the component.
Reported on: The date the vulnerability was reported
Severity/Score: The severity of the vulnerability and its score
Risks: The number of risks associated with the vulnerability, if any
Mitigations: The number of mitigations associated with the vulnerability, if any
Resolution: The resolution status of the vulnerability impact assessment
Status: The status of the vulnerability
Expand: Clicking on the expand icon will display more information about the vulnerability, such as the description, the affected version, etc. and if available, the vulnerability impact assessment
Columns can be sorted, filtered, resized and rearranged to suit your needs.
When hovering over a column header, an arrow icon will appear. Clicking on the arrow will sort the column in ascending or descending order.
To rearrange columns, click and drag the column header to the desired position.
To resize a column, hover over the right edge of the column header until the resize icon appears, then click and drag the edge to the desired width. Double-clicking on the edge will automatically resize the column to fit the content.
To filter, hide, or pin a column, hover over a column click on the three-dot (︙) icon in the column header and select the desired options.
5. Vulnerability impact assessment
The Vulnerability impact assessment is a detailed analysis of the impact of a vulnerability on the product. It includes information about the affected components, the potential risks, and the mitigations that can be taken to reduce the impact of the vulnerability.
It is available for each identified vulnerability. To view the Vulnerability impact assessment, click on the expand icon in the Vulnerabilities list.
The Vulnerability impact assessment functionality is only available to users with the necessary permissions and approval rules. If you don't have the necessary permissions, contact your organization's administrator.
The required permission is Edit dependency which can be found on the Settings > Permissions page of a project.
Approval rules can be set up on the Settings > Approval rules page of a project.
5.1. Creating a vulnerability impact assessment
To create a vulnerability impact assessment, select one or more vulnerabilities from the Vulnerabilities list and click on the Create impact assessment button. This will open a dialog where you can fill in the details of the impact assessment.
At the top of the dialog, a list of the selected vulnerabilities is displayed. Below the list, details of the impact assessment, such rationales, justifications, potential risks, and mitigations that can be taken to reduce the impact of the vulnerability, can be filled in.
By default, the following fields are available:
Resulution: The resolution status of the vulnerability impact assessment. This field serves to quickly identify the status of the impact assessment, e.g. if a vulnerability is not relevant or exploitable.
Justification for resolution: A justification for the resolution status.
Connected risks: A list of risks connected to the vulnerability. New risks can be added by using the Risk management module, see MAN-08 Risk Management
Rationale for connecting risks: A rationale for connecting the risks.
Connect mitigations: A list of mitigations connected to the vulnerability. By default, any item type but the Risk item type are available. To limit the available item types, the Settings > Advanced page of a project should be visited.
Rationale for connecting mitigations: A rationale for connecting the mitigations.
The vulnerability impact assessment dialog allows customization of all fields to align with your organization's requirements.
For example, the values of the Resolution field can be customized to match your organization's resolution statuses.
Additionally, the text fields can be renamed and additional ones can be added or removed, e.g. if more than one (or none) is required for the Connect risks section.
To customize the fields and for an overview about what can be configured, the Settings > Advanced page of a project should be visited.
Documentation for the advanced settings for the vulnerability impact assessment module can be found here.
5.2. Editing a vulnerability impact assessment
To edit a vulnerability impact assessment, select a vulnerability with an existing assessment in the Vulnerabilities list. Then, click on the Edit vulnerability impact assessment button. This will open a dialog where you can edit the details of the impact assessment.
Currently, impact assessments can only be edited one-by-one.
6. Download the vulnerability report
The Vulnerability Report can either be generated and downloaded as a release document (as described in MAN-02 Software Release Process, Section 3.9), or generated on demand for a selected version on the SBOM > Vulnerabilies page. The document will be generated an Excel file and will contain the following data:
Title: The title of the vulnerability
Severity: The severity of the vulnerability
Score: The score of the vulnerability
Ecosystem: The ecosystem of the vulnerability
Dependency: The dependency which is affected by the vulnerability
Affected versions: The affected versions of the dependency
Used dependency versions: The versions of the dependency used in the project
Reported on: The date the vulnerability was reported
CVE ID: The Common Vulnerabilities and Exposures (CVE) ID of the vulnerability
Description: The description of the vulnerability
URLs: The URLs related to the vulnerability
Status: The status of the vulnerability
Connected risks: URLs to the connected risks
Connected mitigations: URLs to the connected mitigations
Resolution: The resolution status of the vulnerability impact assessment
Justification for resolution: A justification for the resolution status
Rationale for connecting risks: A rationale for connecting the risks
Rationale for connecting mitigations: A rationale for connecting the mitigations
The generated document aims to replicate the Manage vulnerabilities page content as closely as possible as the format permits. This includes any additional, removed or renamed fields configured for the vulnerability impact assessment.
In case a cell exceeds the limit of characters for a single cell in Excel (32,767 characters), the content will be split into multiple cells, spanning multiple rows.
7. Vulnerability management of an individual SOUP/OTS component/dependency
To manage the vulnerabilities of an individual SOUP/OTS component/dependency, navigate to the SBOM page of the project and click the dependency you want to manage. On its details page, click on the Vulnerabilities tab. There, the same functionality as on the Vulnerabilities page is available, but only for the selected dependency, listing only the vulnerabilities of the selected dependency.
Similarly, on the SBOM > Vulnerabilities page the dependency details page can be reached by clicking on the dependency name below the vulnerability title in the Vulnerabilities list.
Last updated
