Are we using the package or using something that is using it?
Answering this question confidently taking into account your own software direct dependencies can be hard. Answering it confidently taking into account everything they depend on and everything they depend on (and so on!) is very, very hard.
What’s the solution?
Introducing a Software Bill of Materials (SBOM). An SBOM is an artefact that details each package, dependency and library used to create your software, including each of its down stream dependencies. Think of it as a transparent blueprint, showing how your organisations software is built up.
Not just a nice to have
The EU Cyber Resilience Act (September 2022)
In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials.
Executive Order On Improving the Nations Cyber Security (May 2021)
providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
With the EU Cyber Resilience Act and the Executive Order considered, being able to evidence a software bill of materials is becoming a cornerstone of application security, contract negotiation and compliance.
What makes up an SBOM?
Alongside the names of packages in your software and its downstream constituent parts, a comprehensive SBOM includes many other useful pieces of information. This includes:
- Version: The version of the package in use (this is a key piece of information!).
- Publication licence: This helps businesses to understand whether they’re using packages which are not appropriately licensed. E.g. taking an open source component and close sourcing it or distributing it.
- Author and Origin: Information on where the package can be obtained and how to contact the author.
- Publication dates and latest available versions: Helping to paint a picture of how old (or not!) the package in use may be.
- Support information: Details on whether the package is still in active support, long term support or has reached end of life.
With an accurate software bill of materials, understanding whether your business is using a particular version of a package (or one of your supply chain dependencies is) becomes an easy task.
The SBOM must be complete and real-time
Traditional methods of producing software bill of materials are manual, point in time and limited in their system coverage. Without this, they are out of date the moment someone changes an application.
Vulnerabilities.io is designed to cover your entire software estate through integrations with each of your source control systems. SBOMs are real-time and available at any time at the click of a button.
