The IT Nerd

NetRise announced a significant update to its core product platform. This update makes users’ time more efficient and effective in prioritizing, mitigating, and remediating vulnerabilities found in the software they produce and reducing risk in the environments in which that software runs.

Key features introduced into the NetRise platform include:

• Reachability – context on whether a vulnerability is reachable and autoruns within a given system, including user execution context. This approach aims to prioritize vulnerabilities more effectively, focusing on those that pose a real threat to the system.
• SBOM Edit – manually add, remove, and edit SBOM components, and add information that is often lost in the build process, or licensing information that is contained in metadata files from a package manager, to ensure the accuracy of SBOMs delivered.
• Fix Version – indication of the minimum version of the component in which the vulnerability is resolved, a useful datapoint for prioritization because it highlights issues that are likely easy to fix.
• Platform re-architecture that increases the ability to scale and to speed up the development of future releases.

In its Supply Chain Visibility & Risk Study, published in Q4 2024, NetRise reported that on networking devices whose compiled software NetRise analyzed, an average of 1,120 CVEs were found per device. The report showed how to prioritize those CVEs to focus on those that were network accessible, greatly reducing the work required of a manufacturer’s development team or of an enterprise’s third-party risk management team.

Resources

• Meet NetRise: Request a meeting with the team in Las Vegas for the Black Hat Conference2025 from 8/4 – 8/10.
• Schedule a Demo: To learn more about the value that a software asset inventory brings to global enterprises and device manufacturers alike, see a demo of the NetRise Platform.
• For more information about the NetRise Platform, visit https://www.netrise.io/products/platform.

NetRise has released a new report that explores software compositions, vulnerability risks, and non-CVE risks in different asset classes in every organization’s software supply chain. The report analyzes the scope and scale of the components and risks found across 70 of the most commonly downloaded Docker Hub container images.

Key findings from NetRise researchers include:

• After analyzing 70 randomly selected container images from 250 of Docker Hub’s most commonly downloaded images and generating a detailed SBOM, NetRise discovered that each container image had an average of 389 software components.
• NetRise found that one in eight components had no software manifest—they lacked the formal metadata typically found in manifests and details about dependencies, version numbers, or the package’s source. 
• The average container had 604 known vulnerabilities in the underlying software components, with over 45% being 2 to 10+ years old; over 4% of the 16,557 identified CVEs with a Critical or High CVSS Severity ranking were weaponized vulnerabilities known by botnets to spread ransomware, used by threat actors, or used in known attacks; 4.8 misconfigurations per container, including 146 “world writable and readable directories outside tmp,” the containers had overly permissive identity controls with an average of 19.5 usernames per container. 

You can read the report here.

NetRise, the company providing granular visibility into the world’s Extended Internet of Things (XIoT) security problem — encompassing the modern firmware and software component security challenges of IT, OT, IoT, and other connected cyber-physical systems — today announced it has been selected by AFWERX for an STTR Phase I in the amount of $110,000 focused on identifying and managing the risk in firmware and software of connected devices to address the most pressing challenges in the Department of the Air Force (DAF). 

The Air Force Research Laboratory and AFWERX have partnered to streamline the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) process by accelerating the small business experience through faster proposal to award timelines, changing the pool of potential applicants by expanding opportunities to small business and eliminating bureaucratic overhead by continually implementing process improvement changes in contract execution. The DAF began offering the Open Topic SBIR/STTR program in 2018, which expanded the range of innovations the DAF funded, and now on 15 December 2023, NetRise will start its journey to create and provide innovative capabilities that will strengthen the national defense of the United States of America.

Based in Austin, Texas, NetRise was built by defensive cyber experts bred across the private sector, intelligence community, and U.S. federal government to solve the firmware security problem. The company is partnering with companies across manufacturing, automotive, medical devices, industrial control systems, satellites, and many more. https://www.netrise.io/

NetRise, the company providing granular visibility into the world’s Extended Internet of Things (XIoT) security problem — encompassing the modern firmware and software component security challenges of IT, OT, IoT, and other connected cyber-physical systems — today announced the release of Trace in the NetRise Platform. This new solution allows users to identify and validate compromised and vulnerable third-party and proprietary software assets using AI-powered semantic search for the first time. 

Trace revolutionizes vulnerability detection and validation by introducing intent-driven searches, allowing users to search their assets based on the underlying motives or purposes behind the code and configurations that lead to vulnerabilities rather than solely relying on signature-based methods. Rather than searching for specific code patterns or known vulnerabilities, users can query the system based on the intent of malicious actors or negligent developers. Such a method captures a wider range of software packages, misconfigurations, or unidentified flaws. Trace highlights affected assets, files, and packages utilizing natural language, mapping their intricate relationships across the entire software supply chain without the need for a scanning mechanism.

Trace is the first solution to integrate AI-driven semantic search, supply chain impact analysis, and vulnerability validation utilizing large language model (LLM) capabilities, which offer customers a unified and potent solution to detect known and hidden threats in low-level firmware and other cyber-physical systems.

Key enhancements and capabilities of the new Trace solution in the NetRise Platform include: 

• AI-Powered Search: Semantic and keyword-based search for all files, operating system configurations, and vulnerabilities across all assets using AI. 
• Deep Supply Chain Introspection & Origin Tracing: Discover and trace the origin of code and risk back to the third-party or proprietary software packages that introduced it across all assets.
• LLM-Based Vulnerability Discovery & Validation: Identify vulnerabilities and gauge their impact in the software supply chain using code-based or broad natural language queries, validating issues across an organization’s firmware, software, and cyber-physical systems.

Supply chain compromises are increasing, often targeting firmware or open-source software packages through dependency poisoning and other attacks. A widespread effort across numerous industries, involving both public and private sectors, is underway to discern which assets, devices, and software contain compromised software packages and vulnerabilities. The complexity of analyzing device firmware and build artifacts further exacerbates this challenge.

NetRise addresses these challenges by enabling organizations to quickly trace all impacted assets using a single query. Upon identifying a positive match, it generates a comprehensive graph of the affected software supply chain components, eliminating the need for repeated scans or asset reprocessing. This approach is essential in discerning the extent of threats — from nation-state actors to inherent vulnerabilities and inadequate development practices — across devices, firmware, and software packages.

For more information about the Trace feature and its benefits, please visit: https://www.netrise.io/xiot-security-blog/trace-solution-benefits.

NetRise, the company providing granular visibility into the world’s Extended Internet of Things (XIoT) security problem — encompassing the modern firmware and software component security challenges of IT, OT, IoT, and other connected cyber-physical systems — today announced the company has been accepted for the Approved Product List (APL) through the Continuous Diagnostics and Mitigation (CDM) Program, where the Department of Homeland Security (DHS) seeks to strengthen federal agencies’ ability to secure their networks against the ever-increasing threat of cyberattacks.

The Cybersecurity and Infrastructure Security Agency’s (CISA) CDM Program dynamically fortifies the cybersecurity of civilian government networks and systems with real-time risk monitoring and defense. The CDM program provides cybersecurity tools, integration services, and dashboards to participating federal agencies to support them in improving their respective security posture.

Unlike legacy solutions, the NetRise automated platform offers crucial visibility into the ‘black boxes’ of XIoT devices. NetRise’s next-generation firmware and IoT security platform protects organizations from firmware-based attacks and threats by enabling users to continuously identify and monitor risks in the software components of devices. NetRise supports the federal government’s effort to secure the vast number of XIoT devices that serve the public sector and citizens nationwide. NetRise’s novel approach to addressing firmware vulnerabilities and software asset management within IT infrastructure bolsters the risk management of environments, providing valuable and unique benefits which will greatly aid in efforts to avert incursions impacting national security.

The NetRise platform is well positioned and aligns with the CDM program’s goals by providing next-generation firmware analysis, identifying risks in device firmware and software components. NetRise provides firmware visibility, vulnerability management, and insights into the underlying “ingredients” of firmware devices, identifying the latent risks and vulnerabilities within IoT, ICS, connected vehicles, medical devices, satellites, and telecom devices. 

CDM-approved key features and capabilities of the NetRise platform include:

• SBOM Management (Software Bill of Materials): Generate, ingest, and enrich SBOMs for comprehensive visibility into the software components of each device.
• Risk and Vulnerability Management: Understanding what is on the network, the integrity of systems and information, and assessing and prioritizing risk based on potential impact and exploitability.
• Compliance Adherence: Determine if third-party code is introducing legal and compliance issues.
• Real-Time Risk Tracking: Attain continuously updated tracking of device risk beyond CVEs with CISA KEV catalog support.
• Product Build Assurance: Understanding the risk level of device builds and the cybersecurity impact of potential updates or changes.

To learn more about how the NetRise platform supports government agencies with visibility into devices’ underlying risks, please visit https://www.netrise.io/platform.  

NetRise, the company providing granular visibility into the world’s XIoT security problem, today announced advanced capabilities for maintaining and working with Software Bill of Materials (SBOMs) and support for the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog for managing and understanding the risks associated with software components in the firmware of connected devices. 

As the security of the software and firmware supply chain and regulation around SBOMs continue to dominate the industry landscape, the impact of consuming and generating a list of ‘ingredients’ for each device cannot be overstated. With the continuing push for new standards to require visibility in the supply chain, device consumers and asset owners need a solution to enable them to streamline SBOM management and vulnerability prioritization efforts.

NetRise recognizes the current challenges in the market, enhancing its customers’ and partners’ ability to manage vulnerabilities effectively, and offers the solution these industry personas have been seeking; the ability to ingest and enrich SBOMs from multiple sources. This key capability helps device manufacturers and owners alike better manage the underlying components and vulnerabilities of XIoT devices. 

With the growing prominence of KEVs, NetRise’s adoption of CISA’s KEV data provides users with an efficient method for prioritizing the most exploitable vulnerabilities. Today, a typical enterprise sorts through potentially hundreds of thousands of vulnerabilities, and the ability to prioritize remediation efforts based on exploitability alters the dynamics of device security. In 2022, about 30% of KEVs affected XIoT devices or software components used by XIoT devices. So far, in 2023, that figure is approximately 20%. Considering that any CVE could be on the KEV list, these are impressive numbers. 

Key benefits of these new features in the NetRise Platform include:

• By overlaying CISA KEV catalog data, NetRise empowers a comprehensive understanding of known exploits to identify, address, and prioritize the most critical vulnerabilities.
• The NetRise platform supports the ingestion of two major SBOM formats (SPDX and CycloneDX), enriches them with vulnerability information, and exports in either format for external use.
• With a dark mode feature to minimize eye strain and enhance visibility in glare-prone environments, NetRise delivers an innovative interface design for improved user experience. 

For more information about NetRise’s presence at Black Hat USA 2023, please visit https://www.netrise.io/events. To learn more about these advancements and other capabilities of the NetRise platform, visit https://www.netrise.io/platform.