Interlynk

Three waves hitting medical devices: MITRE has one answer MITRE's new paper, Cybersecurity Risk Analysis for Medical Devices in the Era of Evolving Technologies (April 2026, public release 26-0682), is worth reading end to end. Three technology fronts. One throughline. Across all three, the paper keeps returning to the same foundational practices, SBOMs and threat modeling extended to cover the new components these technologies introduce. For cloud-based devices, MITRE is specific: SBOMs should include VMs, containers, every layer of the container image, the machine image, and cloud-native services. Threat models should cover the full cloud stack. For AI/ML, the same discipline applied to a different set of artifacts: training data, models, weights, prompts, inference pipelines, with data integrity and provenance across the lifecycle as the central concern. For PQC, the paper calls out automated cryptographic discovery and inventory (ACDI) as a capability gap, with a pointed caveat: today's ACDI tools are built for enterprise IT, not medical devices or specialized clinical systems. The summary puts it plainly: managing these risks doesn't require a new approach. It requires extending the ones MDMs already have. That tracks with what we're seeing across the medical device programs we work with. The teams getting ahead of FDA QMSR, EU CRA, and PQC migration aren't reinventing their SDLC. They're making their SBOMs and threat models broader with cloud components, ML artifacts, and cryptographic inventory all treated as first-class entries. The paper cites the Elekta incident as the reminder of what happens when that extension doesn't occur: one cloud compromise reaching 170+ cancer treatment facilities. MITRE FFRDC work tends to land where FDA guidance goes next. Source: https://lnkd.in/gZCpQ8B7 #SBOM #MITRE #Interlynk #MedicalDeviceSecurity #FDA

30 days after the LiteLLM compromise, another incident hits: today the Bitwarden CLI supply-chain compromise is driving renewed calls from the community for dependency cooldown windows to reduce exposure. https://lnkd.in/gcYsgdu2 Supply-chain attacks are no longer edge cases—they’re becoming part of normal operations. At Interlynk, we built cooldown policies that let you delay trust in newly released dependencies and reduce the blast radius of malicious or hijacked releases. https://lnkd.in/gwmtNu39 Stay safe.

With the recent wave of software supply chain attacks (axios, litellm), one mitigation that keeps you from being an early adopter of malicious packages is dependency cooldowns. In this blog, we show how SBOMs make that policy uniform, auditable, and enforceable. Blog: https://lnkd.in/gwmtNu39

NVD has formally narrowed its CVE enrichment scope. If your triage pipeline depends on it — now you have a gap. The National Vulnerability Database now prioritizes enrichment (CVSS v3.1, CWE, CPE applicability) for three categories only: • CVEs in CISA's KEV catalog • CVEs affecting federal government software • CVEs for Critical Software under EO 14028 Everything else sits in a grey zone. For regulated industries — medical devices, critical infrastructure, enterprise software — many CVEs in your dependency tree may never be NVD-enriched at all. And triage without CVSS, CWE, or CPE data typically collapses into one of two failure modes: over-escalating (alert fatigue) or under-escalating (missed risk). Neither is acceptable. Interlynk's approach: 1. Multi-source ingestion. Vulnerability and exploitability data from KEV, EPSS, OSV, GHSA, vendor advisories, and early exploit chatter from security research communities. 2. AI-powered correlation. An engine that fuses severity, exploitability evidence, and weakness context into one coherent risk view — even when NVD data is missing. 3. Context-aware customization. Customers tune risk scoring to their own product context and runtime behavior, because a CVE in an isolated internal service is not the same risk as one in an internet-facing control plane. We are doubling down on both the correlation engine and the customer-driven risk customization in the coming weeks. Our commitment is straightforward: optimize the triage workload that actually reaches our customers — neither alert fatigue, nor under-escalation. Just the work that matters, in the context that matters. NVD Update: https://lnkd.in/dunySkmK #SoftwareSupplyChain #SBOM #CVE #VulnerabilityManagement

The SBOM broken record. SBOM will not solve all your security problems, pick. up your dry cleaning, or leave your teeth bright and sparkling. But no one should build, use, buy, or operate software without having a decent, real-time understanding of what is in it. I have spent an unreasonable percentage of my career convincing people tjat knowing what's in your software is not a radical position.

Charlotte next week. MD&M South 2026. 3 conversations we want to have: 🔘 How your team maintains SBOMs across your product portfolio 🔘 What your CRA vulnerability reporting plan looks like before 2027 🔘 Where SBOM automation fits into your FDA premarket workflow If any of these are on your radar, let's connect at the Charlotte Convention Center - April 22–23. DM us or drop a comment. We'll make time: https://lnkd.in/gbhJgF6p #MDMSouth #MedicalDevices #SBOM #Cybersecurity #CRA #MedTech

Most SBOM tools produce a confident-looking inventory for C/C++ projects. Most of those inventories are wrong. Interlynk CTO Ritesh Noronha shares an honest assessment of where embedded C/C++ SBOM generation stands in 2026 - what works, what breaks, and why a layered approach combining build-system analysis, fingerprinting, platform awareness, and developer context is the only realistic path forward. If you ship embedded software and care about SBOM accuracy, this one's for you. https://lnkd.in/gvZXBbFC #C #CPP #SBOM #EmbeddedSecurity

Astral’s security playbook shows something important: supply chain security is not a silver bullet, but a large part of it can be made visible, auditable, and enforceable with SBOMs, attestations, VEX, and dependency policies like cooldowns. We broke down where SBOMs meaningfully strengthen practices like dependency visibility, vulnerability handling, and release provenance, and where organizational controls still matter just as much. https://lnkd.in/gqygcCuC

🥚Monthly Updates: Secure AI-assisted Development & FDA Webinar 🐇 Last month's npm axios and Trivy scanner supply chain attacks are a sharp reminder: the tools your team trusts can themselves become attack vectors. Interlynk's SBOM Automation & Compliance Platform is built to monitor and guard your software supply chain. Our monthly release shipped 14 enhancements focused on ecosystem coverage, onboarding automation, compliance exports, and tighter webhook-driven scanning.   Plus find us at MD&M South talking SBOM automation and FDA QMSR compliance.   𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗥𝗲𝗹𝗲𝗮𝘀𝗲 ---- 🌐 𝗘𝗰𝗼𝘀𝘆𝘀𝘁𝗲𝗺 𝗖𝗼𝘃𝗲𝗿𝗮𝗴𝗲: 𝗽𝗸𝗴:𝗵𝗲𝘅, 𝗽𝗸𝗴:𝗰𝗼𝗺𝗽𝗼𝘀𝗲𝗿, 𝗽𝗸𝗴:𝗴𝗶𝘁𝗵𝘂𝗯 Interlynk now resolves and enriches Hex packages: surfacing age, license, and vulnerability data with no additional configuration required. New in this release:  • pkg:hex for Elixir/Erlang  • pkg:composer for PHP  • pkg:github for GitHub-hosted components This is part of a broader commitment to supply chain visibility across every runtime your product touches.   ---- 🌐 𝗖𝗼𝗺𝗺𝘂𝗻𝗶𝘁𝘆 𝗧𝗶𝗲𝗿 𝗢𝗻𝗯𝗼𝗮𝗿𝗱𝗶𝗻𝗴 Interlynk's free community tier now reaches developers and security engineers across five continents, bringing SBOM automation to every corner of the software supply chain. With an updated flow, new user's joining community tier now move through a guided onboarding flow - automated SBOM ShareLynk creation, compliance selection, and scoring - with a fully redesigned dashboard that replaces hidden features with clear plan visibility and upgrade prompts.   Easier evaluation, faster time-to-value for your team and your prospects. Give it a try: app.interlynk.io/register ---- 🗂️ 𝗢𝗻𝗲-𝗖𝗹𝗶𝗰𝗸 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗥𝗲𝗽𝗼𝗿𝘁 Compliance reports can now be exported directly from the dashboard with a single click.   No more manual screenshots or copy-paste into audit packages - get inspection-ready artifacts at the moment you need them.   Learn more about these releases here: https://lnkd.in/gV2F8mCr ---- 🚨 𝗜𝗻 𝘁𝗵𝗲 𝗡𝗲𝘄𝘀 Our take on why axios won't be the last - read it here: https://lnkd.in/gUzdGuj2 ---- 🎤 𝗜𝗻𝘁𝗲𝗿𝗹𝘆𝗻𝗸 𝗮𝘁 𝗠𝗗&𝗠 𝗦𝗼𝘂𝘁𝗵   We're bringing the software supply chain security and compliance conversation to MD&M South, where connected device manufacturers are navigating the combined demands of FDA QMSR, IEC 62304, and cybersecurity premarket submissions. Come find us to discuss how continuous SBOM automation can replace the compliance fire drills - and what axios- and Trivy-style attacks mean for your vulnerability management program. 📍 MD&M South, Charlotte Convention Center, NC 📅 April 22-23 🤝 Book a Meeting here: https://lnkd.in/gbhJgF6p Hope to see you there!

Anthropic just found a 27-year-old vulnerability in OpenBSD that no tool caught. Anthropic’s Glasswing shows what’s coming next: vulnerabilities will be discovered faster than most teams can even understand their exposure. This isn’t a detection problem anymore — it’s a visibility problem. When a new CVE drops, the real question is: can you answer “are we affected?” in hours… or are you still figuring out what you’re running? https://lnkd.in/gxD6Ech8