IN Brief:
- ByteSnap Design and Digi International are focusing on SBOM-led vulnerability management for medical and industrial IoT devices.
- The approach combines continuous CVE monitoring, curated vulnerability reports, Yocto security layers, and integration support.
- Medical, automotive, defence, energy, and other regulated sectors face rising expectations around field patching and lifecycle evidence.
ByteSnap Design and Digi International are extending their embedded Linux security work into SBOM-led vulnerability management and long-term compliance for medical devices and connected industrial IoT systems.
The Birmingham-based embedded systems consultancy and Digi are focusing on the operational use of software bills of materials, continuous vulnerability monitoring, targeted patching, and deployment validation for devices expected to remain in the field for long service lives. The work builds from the embedded Linux security service introduced earlier this year, with a sharper emphasis on medical and regulated-device lifecycle requirements.
During a webinar on long-term security for medical devices, the companies set out how SBOMs can be used as living operational tools rather than static documentation created at release. Automatically generated build-time SBOMs can be linked to CVE and CVSS data, then monitored over time as vulnerabilities emerge across kernels, bootloaders, user-space packages, libraries, and device-specific software stacks.
Digi ConnectCore Security Services provide curated monthly reports, configuration-specific vulnerability filtering, SBOM analysis, CVE monitoring, binary image scans, and a Yocto security layer with pre-integrated patches for the board support package, Linux kernel, and bootloader. ByteSnap adds integration, test, platform support, kernel migration, BSP work, release packaging, OTA update support, secure boot, encrypted filesystems, and TrustFence-related implementation support.
Embedded security programmes are often slowed by the volume of vulnerability information rather than the absence of it. A medical or industrial device maker can receive thousands of CVE alerts, many irrelevant to its exact configuration, while still lacking the engineering capacity to determine which issues apply, which patches are safe, and how updates should be validated before deployment.
The regulatory environment is becoming less forgiving. Medical device cybersecurity requirements in the US, the EU Cyber Resilience Act, and wider network and digital resilience obligations are pushing manufacturers toward documented risk management, vulnerability surveillance, SBOM discipline, and field patching capability throughout the product lifecycle. Those requirements reach directly into engineering decisions, because secure update mechanisms, maintainable software architectures, and lifecycle evidence have to be designed into the product.
The shift from hospital-based equipment to home-based connected medical deployments adds further pressure. Devices that once sat behind managed clinical networks now operate in less controlled environments, often with consumer broadband, remote monitoring, mobile apps, and longer support expectations. Similar pressures are visible in automotive, defence, energy, and industrial control, where connected devices must remain secure without assuming regular physical access.
SBOMs do not secure a device on their own. Their value comes from making software composition visible enough for risk decisions, patch planning, and audit evidence. ByteSnap and Digi’s approach reflects the direction embedded design is taking: security is becoming an operating model for the full life of the device, rather than a release milestone reached shortly before shipment.
