SBOM (Software Bill of Materials) — Part I, Introduction.

3 min readSep 26, 2024

Intro

In cybersecurity, an SBOM (Software Bill of Materials) is a critical document that lists the components used in building a software application, including libraries, frameworks, and dependencies.

It’s like an “ingredient list” for software, showing the underlying open source and proprietary components that comprise a given piece of software. With it, organisations can better understand, manage, and secure their applications.

Importance of SBOM in Cybersecurity

An incident that led the U.S. government to require SBOMs from their vendors to secure the software supply chain happened in 2020. It involved an internationally popular Network Management System (NMS) in both the public and private sector. About 18,000 customers were compromised, but only a few suffered secondary attacks. The attack cost the provider millions of dollars, but with it came improved industry standards to ensure security is implemented throughout the software development process and maintained properly to prevent vulnerabilities from being exploited.

Importance of SBOM in Cybersecurity:

Transparency: SBOMs provide a clear understanding of what components make up software. This transparency helps identify known vulnerabilities in open-source libraries or third-party components.
Vulnerability Management: SBOMs allow organisations to quickly assess whether they are affected by newly discovered vulnerabilities.
Compliance: Many security standards and regulations are starting to require SBOMs to ensure secure software development practices.
Risk Management: By maintaining an SBOM, companies can reduce the risk of using unverified or outdated components.
Incident Response: In case of a cyberattack, having an SBOM enables faster identification of vulnerable components, facilitating quicker patching or mitigation.

SBOM Standards and Tools.

SBOM Standards

CycloneDX: A lightweight standard for the creation of SBOMs that focuses on security.
SPDX (Software Package Data Exchange): A widely-used standard for documenting open-source licensing, now extended to include vulnerability tracking.
SWID (Software Identification): Used by organisations like NIST to track and manage software assets.

Tools for SBOM Creation and Management

There are both commercial and open-source tools that help organisations create, maintain, and manage SBOMs.

Some open-source tools:

Syft (by Anchore): Syft generates SBOMs for container images and filesystems. It supports CycloneDX and SPDX formats and integrates with vulnerability management tools like Grype.
Reference: https://github.com/anchore/syft
CycloneDX CLI: A command-line tool to generate SBOMs in the CycloneDX format for various package types like Java, JavaScript, Python, and .NET.
Reference: https://github.com/CycloneDX/cyclonedx-cli
OWASP Dependency-Check: An open-source tool that identifies dependencies in project files and checks them against known vulnerabilities.
Reference: https://owasp.org/www-project-dependency-check
SPDX Tools: A set of open-source utilities for creating and analysing SPDX documents.
Refernce: https://github.com/spdx/tools

Commercial tools:

Snyk: Provides vulnerability scanning and license compliance checking based on SBOMs. It integrates well with developer workflows (CI/CD pipelines) and covers a wide range of languages (https://snyk.io). Also see previous SOCFortress blog entry here.
FOSSA: Focused on managing open-source compliance, security, and SBOM generation. It supports automated SBOM generation as part of CI/CD pipelines (https://fossa.com)
Black Duck (by Synopsys): Helps manage open-source components’ security and license risks. It also supports compliance with open-source licenses (https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html)
JFrog Xray: Provides security scanning and license compliance for container images and artifacts. It also generates SBOMs and supports several SBOM formats (https://jfrog.com/xray/)
Anchore Enterprise: The enterprise version of Anchore includes advanced features for SBOM management, vulnerability scanning, and integration into CI/CD pipelines (https://anchore.com/)

Best Practices for Implementing SBOMs in Organisations

SBOMs are becoming increasingly important for both internal security and compliance with regulations such as the U.S. Executive Order on Improving the Nation’s Cybersecurity, which has spurred greater SBOM adoption across industries.

Some best practices include:

Automate SBOM Generation: Integrate SBOM generation into CI/CD pipelines to ensure every build has an up-to-date SBOM.
Use SBOM for Continuous Monitoring: Regularly scan the SBOM for newly discovered vulnerabilities in dependencies.
Align with Standards: Adopt SBOM standards like SPDX or CycloneDX to ensure interoperability and compliance.
Review and Manage Open Source Licensing: Use SBOMs to monitor open-source licenses and ensure compliance.
Incident Response: Maintain an updated SBOM to quickly assess your risk exposure during security incidents.

What’s next?

In the next blog entry we’ll start describing how SOCFortress can help organisations by leveraging some of the open-source tools described earlier in this article and getting real time data that’ll allow you to create, maintain, and manage SBOMs, with a special focus on cybersecurity.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/