ONEKEY: Software Bills of Materials Are the New Security Passport

ONEKEY is expanding its security platform from detection to the holistic management of software vulnerabilities in smart products.

Extended Software Bills of Materials become “security passports,” with integrated risk assessment and complete regulatory compliance documentation.

Düsseldorf, November 4, 2025 – The EU Cyber Resilience Act (CRA) stipulates that, in future, manufacturers and distributors of digital products with an internet connection must provide a Software Bill of Materials (SBOM). This will help to identify potential software vulnerabilities that could be exploited by hackers so that they can be remedied in a timely manner.

The CRA therefore requires a detailed list of all programs, libraries, frameworks, and dependencies for networked devices, machines, and systems, without exception, including the exact version numbers of the individual components, information on the respective licenses, details of the authors, and an overview of all known vulnerabilities and security gaps. Many manufacturers struggle to meet these requirements, mainly because they do not receive complete information from their suppliers.

For this reason, many SBOMS are incomplete, outdated, or lack context regarding vulnerabilities. These incomplete and sometimes outdated Software Bills Of Materials are unusable for the mandatory documentation requirements imposed on manufacturers by EU regulations.

SBOM as the New Security Passport

The Düsseldorf-based cybersecurity company ONEKEY has now added a new feature to its platform that checks device software (firmware) for security vulnerabilities and enables the generation of so-called enriched SBOMs. These expanded Software Bills Of Materials contain all relevant information about vulnerabilities. The SBOMs generated in this way fully meet all industry requirements. As well as containing the vulnerabilities with risk classification, they also provide evidence and justifications in a single, easy-to-use file.

“This transforms the SBOM from a mere bill of materials into a kind of security passport with integrated risk assessment,” explained Jan Wendenburg, CEO of ONEKEY. He knows from many discussions with manufacturers: “The often complex supply chains and the frequent lack of understanding of EU-specific regulations among suppliers outside the European Union make it difficult to comply with the requirements of the Cyber Resilience Act.” According to ONEKEY, the new functionality is a significant step towards overcoming this hurdle.

Beyond Detection: Comprehensive Vulnerability Management

This latest feature forms part of an initiative to expand the ONEKEY platform, providing even better support for comprehensive software security vulnerability management. Until now, the platform has primarily focused on the detection of software vulnerabilities. “Identifying deficiencies is only the first step,” says Jan Wendenburg, “now we are taking further steps to relieve manufacturers as much as possible of time-consuming manual tasks and help them achieve CRA compliance.”

Automated workflows, contextual assessments, and audit-ready documentation will enable security and compliance teams to respond more quickly and act in a regulatory-compliant manner. “By enabling the platform to take on more and more routine tasks, we are giving specialists more time to focus on their most important task: maximizing the security of their devices, machines, and systems,” says Jan Wendenburg, says Jan Wendenburg, outlining the company’s strategy.