April 24, 2024
Helm, developed by Medcrypt, emerges as a robust and precise SBOM (Software Bill of Materials) and Vulnerability Management Tool tailored to identify potential security risks. By leveraging Helm, Product Security Managers and Developers can streamline their focus towards refining their products and services, rather than delving into the intricate details of the third-party software they depend on. In this case study, we delve into a comparative analysis between Helm and a comparable tool, examining their efficacy in detecting vulnerabilities and mitigating risks.
For this case study, we utilized an SBOM from a Linux-based medical device to evaluate the efficacy of Helm in vulnerability detection. We found that Helm performed admirably, identifying 55 valid CVEs that posed risks to the device, aligning closely with the results obtained by the other tool. However, Helm demonstrated a significantly lower rate of false positives compared to its counterpart.
In the comparison, we observed that the other tool returned an overwhelming number of false positives, with 74% of the 215 CVEs it identified being irrelevant to the SBOM. This discrepancy can be attributed to the loose matching of dependencies by the other tool, resulting in inaccuracies in CVE identification. Conversely, Helm’s precision in matching dependencies ensured that all CVEs identified were relevant to the SBOM, thereby mitigating the risk of false positives.
The findings underscore Helm’s superiority in accurately detecting vulnerabilities while minimizing false positives, thereby enabling product security teams to effectively prioritize and address genuine threats without being inundated by irrelevant alerts.
In this comparative analysis between Helm and the alternative tool, we utilized the same SBOM (Software Bill of Materials) and subjected it to both tools to evaluate their outputs. Each CVE (Common Vulnerability and Exposure) identified by either tool underwent thorough validation to ensure its legitimacy. This validation process involved verifying that the CVE pertained to a dependency listed in the SBOM and that it affected the correct version of said dependency.
In addition to CVE validation, we also examined other potential issues, such as whether the vulnerabilities impacted dependencies such as whether or not the vulnerabilities impacted dependencies running on the correct platform (in this case Linux). Notably, the alternative tool exhibited errors such as misidentifying dependencies and reporting CVEs that didn’t impact the version of the dependency that was actually included in the SBOM, while Helm did not.
Helm detected 55 CVEs, whereas another tool identified 215 CVEs/GHSAs. Among these, only 1 GHSA lacked a corresponding CVE. The other tool found 160 more CVEs/GHSAs than Helm, but 155 of them turned out to be false positives. The majority of these false positives were due to incorrectly matching 50 dependencies, resulting in every CVE returned for those dependencies being a false positive. For instance, the tool incorrectly assumed that the dependency “@types/connect” referred to Adobe Connect, leading to 31 false positives. Unlike this tool, Helm ignored such dependencies, producing no false positives and accurately matching all CVEs for the dependencies it identified.
In this comparison, Helm stands out as the preferred choice due to its superior accuracy, outperforming the other third party tool despite yielding an equal number of valid CVEs. The integration of third-party tools like Helm and another system is aimed at enhancing the workflow for Product Security Managers and Developers, enabling them to focus on their primary responsibilities. While the alternative system offers impressive features and a user-friendly interface, its tendency for loose matching, as evidenced in this analysis, burdens users with unnecessary manual verification tasks, detracting from core business priorities.
Helm consistently demonstrates higher accuracy compared to its counterparts, including the alternative system under review. When evaluating third-party tools, Product Security Managers must prioritize not only security implications but also time efficiency. In a fast-paced and fiercely competitive environment, the risk of wasting developers’ time on redundant verifications poses a significant concern. Helm’s precision not only delivers comprehensive risk insights but also respects users’ time, allowing them to concentrate on critical business aspects essential for success.
Incorporating Helm into your development process is crucial for seamless security integration. Choosing the right Software Bill of Materials (SBOM) vulnerability management tool is fundamental for compliance, cybersecurity, and operational integrity in today’s software landscape, where reliance on open-source and third-party components is increasing.
Interested in learning more about how Medcrypt helps medical device manufacturers meet regulatory requirements? Contact us at info@medcrypt.com and visit us at medcrypt.com to discover our full suite of medical device cybersecurity products and services.
December 13, 2024
December 4, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information