In its recent Innovation Insight for SBOMs report,* Gartner highlights the benefits of using software bills of materials (SBOMs) to secure modern, fast-paced DevOps pipelines. SBOMs shed light on blind spots in the software supply chain by enumerating all proprietary and open source components and enable the effective mitigation of risks. Without this visibility, organizations’ software supply chains are left exposed to potential security vulnerabilities, quality issues, and compliance risks.
Improving software supply chain security with an SBOM
These days, attackers are increasingly targeting software development systems, open source artifacts, and DevOps pipelines to compromise software supply chains and the downstream organizations that they’re associated with. The holes in the software delivery process were on display with the recent discovery of the Apache Log4j vulnerability.
In the face of the growing number and sophistication of these attacks, organizations must develop a solid offensive and defensive software supply chain security strategy. To mitigate the variety of supply chain risks, Gartner recommends the adoption of SBOMs:
“SBOMs improve the visibility, transparency, security, and integrity of proprietary and open source code in software supply chains. To realize these benefits, software engineering leaders should integrate SBOMs throughout the software delivery life cycle.”
Three elements for SBOM functionality
The Gartner report outlines the minimum foundations for an SBOM, as issued by the US Department of Commerce and the National Telecommunications and Information Administration (NTIA). This foundation consists of three key sections:
Data fields
According to the NTIA, these fields should enable sufficient identification of components to track them across the supply chain and map them to other beneficial sources of data, such as vulnerability databases or license databases. Fields such as supplier name, component name, version of component, dependency relationship, and author of SBOM data are commonly provided.
Automation support
This section identifies three reporting formats that organizations must use when they transmit SBOMs across organizational boundaries. The NTIA selected them because each is human-readable, machine-readable, and interoperable for the core data fields and uses common data syntax representations. The formats identified are Software Package Data Exchange (SPDX), CycloneDX, and Software Identification (SWID) Tags.
Practices and processes
The NTIA outlines six requirements for how and when SBOMs should be updated and delivered. SBOMs must be created each time the software component is updated with a new build or release and should include both top-level components and their dependencies. On top of this, the requirements include guidelines for managing known unknowns, distribution and delivery, access control, and accommodation of mistakes.
These three elements are required for companies that work with the US federal government. However, it’s recommended that enterprises of all sizes adopt them as good software hygiene.
The need for SBOMs
In a complex DevSecOps environment, with multiple teams and rapid release cycles, it’s challenging to have full visibility into the potential risks in the software supply chain. SBOMs can help organizations reduce those risks. They provide transparency into the software components used in applications, accelerate the identification and remediation of potential vulnerabilities, and help achieve compliance with government regulations.
As modern cloud native applications continue to be built using a multitude of open source components across the software development life cycle, SBOMs have become vital to the authenticity of the software supply chain.
Try an SBOM with Aqua’s supply chain security
As the leading software supply chain security company and pioneer in the market, Argon, now an Aqua Security company, was the first to release its SBOM manifest solution as part of the code-tampering prevention in the patent-pending Code Integrity Engine in 2021. The Argon SBOM manifest enables teams to identify dependencies and detect key risks in the artifact development process. This allows the implementation of a strict security evaluation of artifacts and the effective mitigation of security threats once discovered.
To learn more about SBOMs, read the full Gartner report.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.