FAQ

What is an SBOM or Product Manifest? 📜 #

 

An SBOM (Software Bill of Materials) is a comprehensive inventory or list of all the components, libraries, and dependencies that make up a software application or system. It helps in identifying and managing vulnerabilities in third-party components, making it easier to respond to security threats. 🔍

How Does myorbik.com Work? ⚙️ #

 

myorbik.com pulls CVE information from the National Vulnerability Database (NVD) every 24 hours to ensure you’re always equipped with the latest security data. 🕒

Each CVE (Common Vulnerabilities and Exposures) is linked to specific software or hardware through a unique naming scheme called Common Platform Enumeration (CPE). CPE is essential for accurately mapping a CVE to its corresponding product name and version, which is a standard method used by most commercial and open-source tools, including myorbik.com. 🧩

When a CPE for a particular piece of hardware or software is found in a client’s Software Bill of Materials (SBOM), myorbik.com automatically retrieves and correlates the relevant CVE data. By integrating with your SBOM, myorbik.com helps in tracking vulnerabilities and ensures that the security posture of your software components is continuously monitored and updated. This proactive approach minimizes the risks associated with outdated or vulnerable components, keeping your systems secure and compliant with industry standards. 🛡️

Is it Possible to Run myorbik.com on a Device Not Connected to the Internet? 🌐🚫 #

 

Myorbik.com does not interact with the target device directly. Instead, it works by the user generating or uploading a Software BOM CSV file to the web or using the REST API, then compares the list of packages/versions against the internal vulnerability database and generates a report. 📈

Currently, myorbik.com is a hosted/cloud-only solution; we do not provide an on-premises version that can be on your network without internet access. However, we do plan to provide an on-premises version later this year. 🏠

Using myorbik.com, Who is Responsible for Fixing/Mitigating a Vulnerability? 🛠️ #

 

Myorbik.com assists with monitoring and tracking vulnerabilities and available fixes. The process of triaging identified CVEs, deciding to apply available fixes, implementing fixes, and building and testing the modified product is the responsibility of you or your engineering team. 👥

We also offer an externally managed solution to help organizations ensure the highest level of accuracy and reliability in their vulnerability management processes. This service includes expert oversight, regular audits, and continuous updates to keep your SBOMs accurate and aligned with the latest security standards. For more information and pricing details, please feel free to contact us. 📞

Can You Get False Positives? 🚨 #

 

Yes, false positives are a common issue when using tools that rely on CPE data from the National Vulnerability Database (NVD), like those found on myorbik.com. False positives occur when a tool reports a vulnerability (CVE) that doesn’t actually apply to the specific software package or version in question. This can be due to CPE data quality issues, incorrect SBOM information, or delays in a CVE being published in the NVD. ⚠️

To address SBOM accuracy, we’ve developed an SBOM quality metrics tool designed to evaluate the quality of a Software Bill of Materials (SBOM) by providing a score based on several critical metrics:

  • NTIA-minimum-elements: Includes features to quickly understand if an SBOM complies with NTIA’s minimum element guidelines. 🏅
  • Structural: Checks if an SBOM complies with underlying specifications, such as SPDX or CycloneDX. 📐
  • Semantic: Evaluates the meaning of SBOM fields specific to their standard. 📚
  • Quality: Determines the quality of the data in an SBOM. 🌟
  • Sharing: Assesses if an SBOM can be shared. 🔄

What Information is Collected When I Upload My SBOM? 📤 #

 

When you upload your SBOM for security monitoring, myorbik.com gathers only the package or recipe names, their versions, any applied patches, and the version of the build system. This data is exclusively shared with your team members. 👥

Myorbik.com does not require the submission of your product’s source code. 🔒


Glossary of Terms 📚 #

 

CPE (Common Platform Enumeration) #

CPE is a naming system used to identify and categorize information technology systems, software, and packages. It standardizes naming and organization so that systems and tools can easily recognize and work with them. It’s based on the same format used for web addresses (URIs) and includes a consistent way to name, check if names match, and attach descriptions to those names. 🌐

CVE (Common Vulnerabilities and Exposures) #

A CVE is a unique identifier assigned to a specific security weakness or vulnerability in software or hardware. These vulnerabilities are flaws in code that hackers can exploit to harm a system’s security. Fixing these issues usually involves updating the code or changing/removing features to prevent problems. When a vulnerability gets a CVE number, it’s officially recognized and tracked. 📜

NVD (National Vulnerability Database) #

The NVD is a database managed by the U.S. government that tracks and manages information about security vulnerabilities using a system called the Security Content Automation Protocol (SCAP). This database helps automate the process of managing vulnerabilities, measuring security, and ensuring compliance with security standards. The NVD includes information about security flaws, incorrect configurations, product names, and potential impacts.

Powered by BetterDocs