Test 1-3

TEST 1 – BIS-2.5.1

Test Name: TC_VALIDATE_FIRMWARE_SOFTWARE_BILL_OF_MATERIALS_FACT Clause: 2.5 – Validate Firmware Software Bill of Materials

Objective:

Verification of the submitted list of third-party components by running automated tools like FACT (Framework for Analysis of COTS) on the firmware image.

Tools Used:

  • FACT (Framework for Analysis of COTS)

  • Firmware image as provided by OEM

Test Execution Steps:

  1. Acquired the Software Bill of Materials (SBOM) from the vendor listing all third-party components and their versions.

  2. Loaded the DUT firmware image into the FACT tool.

  3. Ran automated analysis to extract actual component metadata embedded in the firmware (e.g., libraries, binaries, kernel modules).

  4. Cross-referenced extracted data against the vendor-provided SBOM.

  5. Verified component versioning, licensing info, and the presence of known CVEs using FACT’s internal vulnerability database.

Expected Results for Pass:

  • The FACT tool output confirms all third-party components and their versions match the submitted SBOM.

  • No unknown or undocumented components are found.

  • No discrepancies in versioning or licensing details.

Test Observations:

(To be filled post-execution – e.g., "All components matched with the submitted SBOM. No undocumented or vulnerable components found.")

Evidence Provided:

  • FACT scan report (PDF/JSON)

  • Firmware image hash: (insert SHA-256 here)

  • SBOM (as provided by OEM)

Test Case Result:

(To be filled post-validation – e.g., PASS / FAIL)

TEST 2 – BIS-2.5.2

Test Name: TC_VALIDATE_FIRMWARE_SOFTWARE_BILL_OF_MATERIALS_ID Clause: 2.5 – Validate Firmware Software Bill of Materials

Objective:

Identifying vulnerabilities in the third-party component(s) used within the firmware through publicly available vulnerability databases.

Tools Used:

  • NVD (National Vulnerability Database)

  • CVE database

  • Nessus vulnerability scanner

Test Execution Steps:

  1. Collected the list of third-party components from the vendor-provided SBOM.

  2. Queried public vulnerability databases such as NVD and CVE Details using the component names and versions.

  3. Scanned the DUT firmware using Nessus to validate the presence and exposure of any known vulnerabilities.

  4. Cross-referenced findings from both Nessus and the CVE database to eliminate false positives and ensure accuracy.

  5. Documented each identified vulnerability along with:

    • CVE ID

    • Severity score (CVSS)

    • Potential impact

    • Affected component/version

Expected Results for Pass:

  • A detailed report listing all known vulnerabilities associated with the third-party components in the firmware.

  • The report includes severity levels and helps the vendor prioritize patching.

Test Observations:

  • Total vulnerabilities found: 15

    • Critical: 1

    • High: 5

    • Medium: 8

    • Low: 1

  • Vulnerabilities were identified through the CVE database, cross-verified with Nessus scan results.

Evidence Provided:

  • CVE reference list with severity breakdown

  • Nessus scan report

  • SBOM (provided by OEM)

  • Firmware image hash: (insert SHA-256 if applicable)

Test Case Result:

PASS – Vulnerabilities were successfully identified and reported based on the current version of third-party components.

TEST 3 – BIS-2.5.3

Test Name: TC_VALIDATE_FIRMWARE_SOFTWARE_BILL_OF_MATERIALS_PROCESS Clause: 2.5 – Validate Firmware Software Bill of Materials

Objective:

Verification and validation of the process defined by the vendor for providing regular security updates and patches for the firmware to address any known vulnerabilities in third-party components.

Tools Used:

  • Vendor-provided patch management policy and SOPs

  • Firmware version history and changelogs

  • Public release notes / advisory portal (if applicable)

Test Execution Steps:

  1. Reviewed documentation provided by the vendor outlining:

    • Patch management policy

    • Security update lifecycle

    • Timeline and frequency of updates

    • Notification mechanism for customers

  2. Validated process by reviewing historical records of:

    • Security advisories issued

    • Firmware patch release dates

    • CVEs addressed in past updates

  3. Confirmed customer communication system such as:

    • Email notification for vulnerabilities and patches

    • Release notes on portal or support site

    • SLA (Service Level Agreement) for patch delivery timelines

Expected Results for Pass:

  • The vendor follows a well-defined, consistent process to identify, patch, and notify users of third-party vulnerabilities.

  • Timely release of updates and clear customer communication are in place.

Test Observations:

  • The vendor maintains an internal vulnerability tracking system mapped to CVE IDs.

  • Firmware releases include release notes referencing CVEs fixed.

  • Updates for critical and high-severity vulnerabilities are typically released within 30 days.

  • Customers are informed via email bulletins and updates posted to the support portal.

Test Case Result:

PASS

Overall Test Result:

PASS

Previous2.5 Validate Firmware Software Bill of Materials (SBOM)Next2.6 – Audit Code for Hardcoded Credentials

Last updated

Was this helpful?