Co-creation of knowledge for utilizing Visualization Data such as SBOM Visualization Data Utilization to Ensure Security Transparency -Vulnerability Management Edition- Security Transparency Consortium announces

~Improving the ability to deal with supply chain security risks through co-creation by diverse businesses~

In a working group of the Security Transparency Consortium^*1, chaired by Atsuhiro Goto, President and Professor, Graduate School of Information Security, Institute of Information Security, aiming at reducing supply chain security risks, 14 companies^*2 consisting of diverse businesses, including NTT Corporation (NTT) and NEC Corporation (NEC) as the chief and vice chief have been working to solve problems and issues faced by users utilizing Visualization Data^*3 such as SBOM^*4 under the activity vision "Improving and Utilizing Security Transparency"^*5 announced in February 2024.
　As an example of the using Visualization Data for vulnerability management, the consortium co-creates knowledge to deal with the problems and issues faced by users utilizing Visualization Data, such as identifying and prioritizing vulnerabilities. The result of the Consortium's activities is the release of the "Visualization Data Utilization to Ensure Security Transparency - Vulnerability Management Edition-". This is the first released case study of vulnerability management utilization of Visualization Data in Japan and was co-created by diverse businesses including both the users (e.g., integrators, service providers) and creators (e.g., vendors, integrator) of Visualization Data. It is expected to be useful for businesses in various industries that are considering using Visualization Data for vulnerability management.

1. Background and Objectives

To deal with supply chain security risks to products, systems, and services, Visualization Data such as SBOM, which ensures transparency of products, systems, and services, is attracting attention. On August 29, 2024, the Ministry of Economy, Trade and Industry (METI) released "Guidance on Introduction of Software Bill of Materials (SBOM) for Software Management ver 2.0" to promote the introduction of SBOM. Additionally, studies on how to utilize SBOM are underway, especially in the medical and automotive industries, and SBOM is expected to be used in various use cases in the future.
　Under such circumstances, various problems and issues need to be solved to utilize Visualization Data, and knowledge based on specific use cases is strongly required. In February 2024, the Consortium also released an activity vision to organize and address the problems and issues faced by users utilizing Visualization Data, and to define an action policy to deal with them. The use of Visualization Data in vulnerability management is a highly anticipated use case, and many of the above problems and issues cannot be solved by a single company, so diverse businesses needs to co-create knowledge.

2. Overview

The consortium has co-created knowledge for dealing with the problems and issues raised in the activity vision, by creating a tangible form of vulnerability management, which is one of the use cases where the use of Visualization Data is most anticipated. As an achievement of the consortium, "Visualization Data Utilization to Ensure Security Transparency - Vulnerability Management Edition" has been released on the website^*5. An overview is given below, along with the problems and issues raised in the activity vision.

The results of the Consortium's activities are the first released case study in Japan that summarizes the collaborative efforts of diverse businesses in vulnerability management, a specific use case, to solve problems and issues that many businesses face immediately after starting to utilize Visualization Data such as SBOM or when considering the utilization of Visualization Data. This case study is expected to increase security transparency in vulnerability management and reduce supply chain security risks in diverse industries. It will also serve as a reference case study for promoting the utilization of Visualization Data other than vulnerability management in the future.

3. Outlook

The Consortium will continue to co-create measures to deal with problems and issues in the utilization of Visualization Data through the collaborative efforts of diverse businesses. Target use cases will be compiled as "Visualization Data Utilization to Ensure Security Transparency," regardless of vulnerability management, and will be released on the Consortium's website^*5 from 2025 onward. The Consortium is also continuing to expand the number of participating companies^*2*7 and is currently accepting applications for further participation on its website^*8.

Notes

^*1NTT Corporation^*6, a consortium launched in September 2023 with NEC Corporation as the Coordinator.

^*2NTT Corporation
NEC Corporation
ALAXALA Networks Corporation
NRI SecureTechnologies, Ltd.
NTC Corporation
NTT DATA Group Corporation
ZYYX Inc.
LAC Co., Ltd.
Contrast Security, Inc
Covalent Inc.
Cybertrust Japan Co.
Tokyo Electron Ltd
Sumitomo Mitsui Trust Group, Inc.
Mitsubishi Electric Corporation

^*3Data that visualizes the configuration, status, and risk information of software and hardware such as products, systems, and services that are exchanged between businesses in the supply chain.

^*4Software Bill of Materials, a data format for listing the software components included in a product
URL: https://www.ntia.gov/

^*5Security Transparency Consortium Website "Information Dissemination"
URL: https://www.st-consortium.org/?page_id=1327

^*6Through the participation of NTT Corporation, the following NTT Group companies will also cooperate with the consortium
NTT EAST Corporation
NTT WEST Corporation
NTT DOCOMO, INC
NTT Communications Corporation
NTT Advanced Technology Corporation
NTT TechnoCross Corporation
NTT Security Japan

^*7Assured, Inc.
FFRI Security, Inc.
Cisco Systems G.K.
Hitachi, Ltd.

^*8Security Transparency Consortium Website, "About Joining"
URL: https://www.st-consortium.org/?page_id=6