July 16, 2025
We started building Helm to solve a simple problem: medical device manufacturers were drowning in vulnerability data. But as we dug deeper into Linux-based medical devices, we discovered that "simple" was the wrong word entirely.
Take Ubuntu, for instance. A customer recently sent us an SBOM showing OpenSSL version 1.1.1f-1ubuntu2.16. Our initial CVE scan lit up like a Christmas tree—dozens of critical vulnerabilities. Except... they weren't actually vulnerable. Ubuntu had backported every single security fix without changing the base version number. This is the kind of thing that makes vulnerability management genuinely hard.
Every Thursday, our security team reviews new CVEs. Last week, we noticed something interesting: a single OpenSSL vulnerability had different names across three distributions. In Debian, it affected libssl1.1. In Red Hat, openssl-libs. Alpine called it libssl1.1 too, but it was actually a different package entirely because of musl libc.
This isn't just annoying—it breaks most vulnerability scanners. When the National Vulnerability Database says "OpenSSL 1.1.1k is vulnerable," they're talking about the upstream project. But your SBOM doesn't contain "OpenSSL 1.1.1k." It contains whatever creative naming scheme your Linux distribution decided on.
We've built translation tables for this mess. They're not elegant, but they work. When you upload an Alpine Linux SBOM, we know that busybox-1.35.0-r29 isn't just BusyBox—it's also your grep, awk, and dozen other utilities, each with their own potential vulnerabilities.
Here's something we learned the hard way, most security analysts are most concerned about exploits, not every single vulnerability in their stack.
Last month, a cardiac monitoring device manufacturer called us in a panic. Their security scanner had flagged 47 critical vulnerabilities. After six hours of analysis, we found that exactly two had public exploits, and only one of those exploits actually worked against their device configuration.
So we rebuilt our entire analysis pipeline around a simple question: "Can someone actually exploit this?"
Now when we analyze your SBOM, we check:
A CVSS 9.8 vulnerability with no known exploits gets ranked below a CVSS 6.5 with a Metasploit module. It's not perfect, but it matches how real attackers think.
If you've never dealt with Yocto Linux, consider yourself lucky. It's basically Linux Lego—you build your own distribution from layers, recipes, and patches. It's powerful, flexible, and absolutely maddening for vulnerability analysis.
The first time we got a Yocto SBOM, our parser crashed. Turns out, Yocto version strings can include basically anything. We've seen versions like 2.31-r0.momentum5, 1.2.3+git${AUTOREV}, and our personal favorite, 1.0+really1.2.
But the real challenge isn't parsing—it's understanding what these versions mean. That momentum5 suffix? It indicates five custom patches applied by the device manufacturer. Those patches might fix security issues, or they might introduce new ones. Without analyzing the actual patch content, we can't know.
So we built a Yocto-specific analysis engine. It's held together with regex and hope, but it can extract base versions from even the weirdest version strings. More importantly, it knows about Yocto's security mailing list, where critical fixes often appear before they get CVE numbers.
Alpine Linux seems simple. It's tiny, uses musl instead of glibc, and BusyBox instead of GNU utilities. How hard could it be?
Turns out, very hard. Alpine's minimalism means they often fix vulnerabilities by upgrading to new major versions rather than backporting patches. So while Ubuntu might give you a security-only update from 1.2.3 to 1.2.3-ubuntu4.2, Alpine just upgrades you to 2.0.0 and calls it a day.
This breaks medical device update cycles. You can't validation-test a major version upgrade the same way you test a security patch. So we track Alpine's edge repository to predict when these breaking updates are coming, giving manufacturers time to plan.
We also learned that musl libc has its own set of vulnerabilities that don't affect glibc-based systems. CVE databases don't always make this distinction clear. We now maintain a separate vulnerability feed just for musl-specific issues.
Ubuntu should be the easy one. It's popular, well-documented, and has excellent security communication. But Ubuntu's strength—its stability—creates unique challenges.
Ubuntu LTS releases backport security fixes for five years (ten with Extended Security Maintenance). This is great for stability but terrible for vulnerability scanners. That OpenSSL 1.1.1f version I mentioned? It'll keep that version number for the entire LTS lifecycle while accumulating hundreds of backported fixes.
We solve this by essentially ignoring version numbers for Ubuntu packages. Instead, we parse Ubuntu Security Notices (USNs) and match them against package changelog entries. It's like vulnerability analysis through archaeology—digging through layers of patches to understand the true security state.
The real kicker? Ubuntu's universe repository, where many packages live, only gets "best effort" security support. We've seen medical devices using critical components from universe that haven't received security updates in years. Our system now flags these repository distinctions because "supported by Canonical" and "supported by the community" mean very different things for medical device compliance.
After analyzing thousands of medical device SBOMs, we've noticed patterns in what actually gets exploited. Remote code execution in network services? Critical. Local privilege escalation requiring physical access? Usually less so (unless your device is in a public area).
But the FDA doesn't see it that way. They want to know about everything. So we built a two-track system: one view for engineers trying to fix actual problems, another for compliance teams writing reports.
The engineering view is brutal in its simplicity:
The compliance view includes all the CVSS scores, CWE classifications, and regulatory references that make auditors happy.
Real SBOMs are messy. We've seen:
Our matching engine handles most of this automatically now. It uses fuzzy matching for package names, infers versions from related packages, and flags ambiguous entries for human review. But the best part is our feedback system—we tell you exactly how to improve your SBOM for next time.
One customer improved their SBOM quality so much that their vulnerability analysis time dropped from hours to minutes. Turns out, correct CPE identifiers make everything easier. Who knew?
Linux vulnerability management for medical devices isn't getting easier. New distributions pop up regularly (has anyone tried Flatcar Container Linux?), and the pace of vulnerability discovery keeps accelerating.
But we're getting better at cutting through the noise. By focusing on exploitability over severity scores, understanding distribution-specific patching philosophies, and building smart translation layers between different naming schemes, we can turn an overwhelming flood of vulnerability data into actionable intelligence.
The key insight? Perfect vulnerability management doesn't exist. But good enough—where you catch the exploitable bugs and maintain compliance without drowning in false positives—that's achievable. Even with Yocto's creative versioning.
.png)
July 17, 2025
July 16, 2025
July 9, 2025
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information
