Global Site

Breadcrumb navigation

Co-creation of knowledge for utilizing Visualization Data such as SBOM: Visualization Data Utilization to Ensure Security Transparency -Vulnerability Management Edition- Security Transparency Consortium announces

~Improving the ability to deal with supply chain security risks through co-creation by diverse businesses ~

In a working group of the Security Transparency Consortium※1, chaired by Atsuhiro Goto, President and Professor, Graduate School of Information Security, Institute of Information Security, aiming at reducing supply chain security risks, 14 companies※2 consisting of diverse businesses, including NTT Corporation (NTT) and NEC Corporation (NEC) as the chief and vice chief have been working to solve problems and issues faced by users utilizing Visualization Data※3 such as SBOM※4 under the activity vision "Improving and Utilizing Security Transparency"※5 announced in February 2024.

As an example of the using Visualization Data for vulnerability management, the consortium co-creates knowledge to deal with the problems and issues faced by users utilizing Visualization Data, such as identifying and prioritizing vulnerabilities. The result of the Consortium's activities is the release of the "Visualization Data Utilization to Ensure Security Transparency - Vulnerability Management Edition-". This is the first released case study of vulnerability management utilization of Visualization Data in Japan and was co-created by diverse businesses including both the users (e.g., integrators, service providers) and creators (e.g., vendors, integrators) of Visualization Data. It is expected to be useful for businesses in various industries that are considering using Visualization Data for vulnerability management.

1. Background and Objectives

To deal with supply chain security risks to products, systems, and services, Visualization Data such as SBOM, which ensures transparency of products, systems, and services, is attracting attention. On August 29, 2024, the Ministry of Economy, Trade and Industry (METI) released "Guidance on Introduction of Software Bill of Materials (SBOM) for Software Management ver 2.0" to promote the introduction of SBOM. Additionally, studies on how to utilize SBOM are underway, especially in the medical and automotive industries, and SBOM is expected to be used in various use cases in the future.

Under such circumstances, various problems and issues need to be solved to utilize Visualization Data, and knowledge based on specific use cases is strongly required. In February 2024, the Consortium also released an activity vision to organize and address the problems and issues faced by users utilizing Visualization Data, and to define an action policy to deal with them. The use of Visualization Data in vulnerability management is a highly anticipated use case, and many of the above problems and issues cannot be solved by a single company, so diverse businesses need to co-create knowledge.

2. Overview

The consortium has co-created knowledge for dealing with the problems and issues raised in the activity vision, by creating a tangible form of vulnerability management, which is one of the use cases where the use of Visualization Data is most anticipated. As an achievement of the consortium, "Visualization Data Utilization to Ensure Security Transparency - Vulnerability Management Edition" has been released on the website※5. An overview is given below, along with the problems and issues raised in the activity vision.

  • (1)
    Format and Data
    There are multiple standard specifications for Visualization Data such as SBOMs, and the output of generating tools varies. Therefore, there is a risk that vulnerabilities that need to be addressed cannot be correctly identified in vulnerability management. To identify vulnerabilities that need to be addressed, the quality of Visualization Data needs to be correctly evaluated, and we will present our knowledge on quality indicators of Visualization Data.
  • (2)
    Technology and Tools
    Although various technologies and tools for Visualization Data are already available, they are not sufficient for vulnerability management. We will present our knowledge of how users of Visualized Data can make better use of it.
  • (3)
    Utilization Cost
    For users to utilize Visualization Data for vulnerability management, they urgently need to understand how to utilize Visualization Data through human resource development and to bear the cost of such training. We will present our knowledge on the education required for users to understand Visualization Data and to use it for vulnerability management.
  • (4)
    Continuous Use
    If vulnerability management had been in place before the use of Visualization Data, it may not have been possible to completely introduce the utilization of Visualization Data in a single step. We will present our knowledge of how to gradually infuse the utilized Visualization Data into existing vulnerability management mechanisms.
  • (5)
    Coordination in a Supply Chain
    Supply chains of products, services, and systems often consist of multiple tiers, and when vulnerabilities occur, cooperation across organizations is required, not just within a single organization such as individual companies. We will present our knowledge of cooperation and consensus building among organizations in the supply chain.
  • (6)
    Impact of Visualization Data
    As the utilization of Visualization Data in vulnerability management becomes more widespread and security transparency increases, many vulnerabilities will be detected, and more and more decisions will be required to address even those that did not need to be addressed in the past. We will provide our knowledge with an index for appropriately evaluating and prioritizing vulnerabilities that have been detected.

The results of the Consortium's activities are the first released case study in Japan that summarizes the collaborative efforts of diverse businesses in vulnerability management, a specific use case, to solve problems and issues that many businesses face immediately after starting to utilize Visualization Data such as SBOM or when considering the utilization of Visualization Data. This case study is expected to increase security transparency in vulnerability management and reduce supply chain security risks in diverse industries. It will also serve as a reference case study for promoting the utilization of Visualization Data other than vulnerability management in the future.

3. Outlook

The Consortium will continue to co-create measures to deal with problems and issues in the utilization of Visualization Data through the collaborative efforts of diverse businesses. Target use cases will be compiled as "Visualization Data Utilization to Ensure Security Transparency," regardless of vulnerability management, and will be released on the Consortium's website※5 from 2025 onward. The Consortium is also continuing to expand the number of participating companies※2※7 and is currently accepting applications for further participation on its website※8 .

***

Notes
  • ※1
    NTT Corporation※6 , a consortium launched in September 2023 with NEC Corporation as the Coordinator.
  • ※2
    NTT Corporation
    NEC Corporation
    ALAXALA Networks Corporation
    NRI SecureTechnologies, Ltd.
    NTC Corporation
    NTT DATA Group Corporation
    ZYYX Inc.
    LAC Co., Ltd.
    Contrast Security, Inc
    Covalent Inc.
    Cybertrust Japan Co.
    Tokyo Electron Ltd
    Sumitomo Mitsui Trust Group, Inc.
    Mitsubishi Electric Corporation
  • ※3
    Data that visualizes the configuration, status, and risk information of software and hardware such as products, systems, and services that are exchanged between businesses in the supply chain.
  • ※4
    Software Bill of Materials, a data format for listing the software components included in a product
    URL: new windowhttps://www.ntia.gov/
  • ※5
    Security Transparency Consortium Website "Information Dissemination"
    URL: new windowhttps://www.st-consortium.org/?page_id=1327
  • ※6
    Through the participation of NTT Corporation, the following NTT Group companies will also cooperate with the consortium
    NTT EAST Corporation
    NTT WEST Corporation
    NTT DOCOMO, INC
    NTT Communications Corporation
    NTT Advanced Technology Corporation
    NTT TechnoCross Corporation
    NTT Security Japan
  • ※7
    Assured, Inc.
    FFRI Security, Inc.
    Cisco Systems G.K.
    Hitachi, Ltd.
  • ※8
    Security Transparency Consortium Website, "About Joining"
    URL: new windowhttps://www.st-consortium.org/?page_id=873&lang=en

About NEC Corporation
NEC Corporation has established itself as a leader in the integration of IT and network technologies while promoting the brand statement of “Orchestrating a brighter world.” NEC enables businesses and communities to adapt to rapid changes taking place in both society and the market as it provides for the social values of safety, security, fairness and efficiency to promote a more sustainable world where everyone has the chance to reach their full potential. For more information, visit NEC at https://www.nec.com.

Orchestrating a brighter world

LinkedIn: new windowhttps://www.linkedin.com/company/nec/

YouTube: new windowhttps://www.youtube.com/user/NECglobalOfficial

Facebook: new windowhttps://www.facebook.com/nec.global/

NEC is a registered trademark of NEC Corporation. All Rights Reserved. Other product or service marks mentioned herein are the trademarks of their respective owners. © NEC Corporation.