ONEKEY offes complete vulnerability management amid record 40,000 CVEs

Over 40,000 software vulnerabilities per year: Manufacturers of connected devices can now automatically check if their products are affected by a new security vulnerability. ONEKEY makes finding and dealing with software vulnerabilities easier than ever.

Düsseldorf-based cybersecurity company ONEKEY has expanded its platform from a leading solution for detecting software vulnerabilities to a fully-fledged environment for vulnerability management. This enables companies to map the entire process of dealing with so-called “Common Vulnerabilities and Exposures” (CVEs) – from detection and assessment to documented decision-making – in a single workflow that can serve as evidence.

RELATED: ONEKEY Report: Industry needs to catch up on cybersecurity standards

Background: In 2024, the number of newly reported vulnerabilities peaked at over 40,000 CVEs, a 38 percent increase on the previous year. Such a high volume makes it increasingly difficult for manufacturers of networked devices, machines, and systems to keep track of which of their products are specifically affected by a CVE report.

A New Management Platform Alignment

To address this issue, ONEKEY has announced the integration of VEX (Vulnerability Exploitability eXchange) data into its device software security testing platform as part of its management platform alignment. Although this step may appear technical at first, it is significant: it reduces team workload, accelerates compliance, and improves transparency across the digital supply chain.

The new feature enables companies to prove that not every vulnerability poses a risk. Not only does it document whether a vulnerability is relevant to the product in question, it also justifies this in a standard format, either individually or embedded in a software bill of materials. These documents can easily be integrated into automated workflows and tools. This makes tracking and reporting vulnerabilities faster, easier, and more accurate

ADVERTISEMENT

Automation Instead of Manual Review

Until now, security teams had to manually evaluate each reported CVE vulnerability and justify why it might not pose a risk to the product in question. This often resulted in misunderstandings and time-consuming queries from customers, regulators, and partners.

The new technology solves this problem by standardizing the context of a vulnerability. It provides the crucial information on whether a known vulnerability in a specific product can actually be exploited. Through integration into the ONEKEY platform, these vulnerability decisions can now be automated and made traceable.

Competitive Advantage Through Accelerated Processes

The new integration arrives just in time: The EU Cyber Resilience Act (CRA) stipulates that, in future, manufacturers of networked devices, machines, and systems must significantly increase and document the resilience of their products against cyberattacks. Adopted in 2024, the CRA will come into full effect at the end of 2027, at which point all connected products offered on the EU market must meet CRA requirements. Given that product development takes two to three years on average, the current expansion of the ONEKEY platform will be of great benefit to manufacturers.

The Advantages for Companies at a Glance

1. Fewer queries from compliance, customers, and partners: Standardized data provides immediate clarity on the status of vulnerabilities and reduces manual communication processes.
2. Faster certifications and security approvals: Automated and traceable documentation of vulnerabilities allows products to be certified and approved more quickly.
3. Competitive advantage: With this integration, ONEKEY offers customers a solution that meets the growing demand for transparency in the supply chain.

“We want to give our customers the opportunity not only to find vulnerabilities, but also to prove that their products are secure,” explained Jan Wendenburg, CEO of ONEKEY. “With the new integration, we are automating the risk assessment process and helping our customers use their time for strategic rather than administrative tasks.”

ONEKEY Strategy: Automation Wherever Possible to Get Cybersecurity Under Control

The new integration is part of ONEKEY’s corporate strategy to expand the functionality of its security platform beyond simply identifying software vulnerabilities to include additional options for comprehensive CVE management. This includes prioritization and documentation to demonstrate whether a vulnerability has been resolved or is irrelevant in the given environment.

ADVERTISEMENT

“Structured and automated vulnerability management is one of the most important issues for manufacturers of digital products,” said Jan Wendenburg, based on numerous customer discussions. With more than 100 new CVEs emerging daily, the implications for product ranges remain unclear. Combined with increasingly strict legal compliance requirements, this has led to considerable uncertainty and, in some cases, excessive demands.

“That’s why this fall we are focusing on meeting the growing demand for appropriate functions, to help manufacturers of digital products address the issue of cybersecurity,” said Jan Wendenburg, explaining the ONEKEY strategy.

“This marks the transition from pure vulnerability detection to an environment for complete management.”