Analysis of Vulnerability Management Process Implementation of Smart Connected Device (R22b)
This talk presents a real-world implementation of a Vulnerability Management Process aligned with RED and CRA requirements for an embedded device. the speakers demonstrate the creation of the SBOM and HBOM, automation of its maintenance, and integration in firmware build pipelines. the speakers show a successfully implemented process for vulnerability identification, triaging, fixing, reporting, and compliance. The talk highlights a practical approach to prioritize and manage vulnerabilities (focussing on exploitable vulnerabilities and other regulatory requirements), as well as how to plan firmware updates efficiently for embedded devices, for which updates are especially costly and risky.