The proliferation of third-party software components such as open source software (OSS) has triggered a growing need to keep track of it all. Why? Because when security vulnerabilities inevitably crop up in open source components, it’s pretty important to know whether your company uses that piece of code – or whether it appears in the myriad software dependencies inherent in open source. This has become a major concern for organizations and governments alike, as serious zero-day vulnerabilities like Log4j and Spring4Shell zero-day attacks and software supply chain attacks such as SolarWinds have led to fresh calls for improved governance and accountability about how software is used and shared.
One key tactic is to produce a software bill of materials (SBOM), which itemizes all components of an organization’s code base. In fact, President Biden issued an executive order calling for The National Telecommunications and Information Administration (NTIA) to develop a minimum standard for SBOMs that any businesses selling software to the U.S. Government must submit. Similarly, the U.S. Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the Cybersecurity and Infrastructure Security Agency (CISA) have recently actively sought inputs that address weaknesses in software and increase visibility into software supply chains and new risk assessment capabilities, due to the growing threat from cyber-attacks. All these agencies encourage the development and availability of automated SBOMs as one of the most significant ways to catalog software components as part of every organization’s security efforts.
The private sector is also starting to follow this trend. Gartner estimates that “by 2025, 60 percent of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, up from less than 20 percent in 2022.”
The Linux Foundation makes an even bolder claim: by the end of this year, SBOM penetration across organizations will have risen to 78 percent, and growth will continue in 2023, driving an increase in penetration to 88 percent.
With this escalation in mind, the question arises, “How can we make SBOMs easier to use and more effective, when working to safeguard your software supply chain?”
In an ideal world, users would simply go into their user interface and click a button to generate an SBOM that would be ready in either hours or minutes, depending on the size of the organization and the scope of the software. In reality, this doesn’t often happen.The main challenge is organizing and converting the underlying data into one of the different formats used by SBOMs. The predominant SBOM standards, as specified by the NTIA, are CycloneDX and SPDX (Software Package Data Exchange), along with SWID (Software Identification Tags). All of them aim to identify and document components of software in differing ways and varying degrees of detail. The problem is that it can often be tricky to convert and organize the data in the right format to create an SBOM, and users have frequently needed to employ a workaround to generate an SBOM.
The fastest, most accurate, and most efficient way of converting the data into the desired format is a tool that can do so programmatically and automatically within your developers’ build and release process. That’s why at Mend, we’ve created an API that can do this.
Formerly, Mend users could take an inventory that resembled a bill of materials and translate it to the SPDX standard using our professional services CLI tool. And while that was helpful, it wasn’t a fully automated process. With the API, the process is native to Mend SBOM, which automatically generates the SBOM. Users are no longer reliant on just the PS tool and converting the data to the right standard is accelerated and simplified. Moreover, it gives users the additional option of programmatically creating SBOMs within their build process.
This helps mitigate a classic pain point for so many organizations: ineffective use of time and team hours. Put simply, we’re adding convenience and making our customers’ life easier, while making their business and software development more visible, and more accountable.