list can be “ fed into ” configuration or vulnerability management tools , so that the user organization can track and apply patches for exploitable component vulnerabilities in the software products installed on their network .
G . The lists can also be used to coordinate with the supplier of each product , to learn when they will patch each important exploitable vulnerability 14 . That is , for each of these exploitable vulnerabilities ( or at least those with higher CVSS 15 scores ), the user will apply gentle ( but firm ) pressure on the supplier to develop a patch quickly .
The last step points to one of the main reasons why SBOMs are promoted as a product security tool . It is likely that many software suppliers do not patch vulnerabilities found in components of one of their products with the same promptness that they ( hopefully ) patch vulnerabilities found in their own code . The reason this might happen is simple : Customers don ’ t bother suppliers about vulnerabilities they don ’ t know about . The NVD does not track vulnerabilities in components of a software product , but only in the product itself . Thus , the customer has no way of learning about component vulnerabilities , unless they have an SBOM to tell them what the components are .
With an SBOM , the customer can learn about both components and - through the NVD or another vulnerability database like OSS Index 16 - the vulnerabilities found in them . When a customer learns that the NVD lists a serious vulnerability in a component of a software product they use , and when they believe this vulnerability is exploitable in the product , they can and should contact the supplier immediately , to ask when they will develop a patch .
The above discussion relates to user-managed software . When it comes to IoT and IIoT devices , the situation changes , making it harder for a user to identify component vulnerabilities . Here are the challenges involved :
• Because the supplier releases updates to all the software in the device as a single unit , the most efficient way for a device user to learn about current vulnerabilities applicable to software in the device is to look up the device itself – using the version number of the most recent device update – in the NVD .
• However , many device suppliers have never obtained CPE names for their products , meaning they are not reporting vulnerability information for the device to the NVD . This is not because the software and firmware in the device have no vulnerabilities ; it is almost
14
Since no supplier can patch every vulnerability that applies to their products , the supplier should consult with their customers to prioritize vulnerabilities to patch .
15