Ortelius Blog

Topics include Supply Chain Security, Vulnerability Management, Neat Tricks, and Contributor insights.

Understanding SBOM and their Use

by Jing Chen, Jesse Ku | 22 October 2024

What is SBOM?

SBOM stands for “Software Bill of Materials”. This is an important tool for software security and managing risks within the software supply chain. It lists the components used and software dependencies of a software package, including open-source and third-party components, to help developers better understand and manage their software packages (cisa.gov, 2024; L, 2024).

With the modernisation of software relying on numerous third-party components, it’s crucial for companies to know exactly what is inside their software. This ensures security and compliance, as well as effective vulnerability management and quick response to threats.

  • SBOMs are essential for identifying and mitigating security risks. If a vulnerability is found in a widely used library, organisations with an SBOM can quickly determine whether they are affected.
  • Many industries and regulations now require transparency in software development, particularly with open-source components. An SBOM helps ensure these compliance requirements are met.
  • Software supply chain risks have become more prominent (e.g. SolarWinds attack (2020), log4j vulnerability (2021)). SBOMs help organisations manage and track all third-party components within their software supply chain.

How SBOMS are Used?

Here are the uses of SBOMs:

  • Companies can use SBOMs for regular security audits. It allows them to monitor what components are in use and ensure none are outdated or vulnerable.
  • In the event of a cyberattack, an SBOM allows for quick identification of vulnerable components.
  • SBOMs provide insight into the licenses of third-party software. This is critical for ensuring companies comply with open-source license terms.
  • SBOMs can be integrated into DevSecOps pipelines to continuously monitor components throughout the software lifecycle, ensuring that security is built into every stage of development
DevSecOps Workflow

DevSecOps Workflow (Gittlen, 2024)

  • SBOMs play a critical role in risk management by offering full visibility into software components, enabling proactive identification of security risks and facilitating timely updates or replacement of vulnerable components.

How SBOMs are Created and Managed?

Maintaining an accurate and up-to-date SBOM, especially in fast-paced development environments, can be challenging. Large software projects may include hundreds of dependencies, making it difficult to manage all the information within an SBOM. SBOMs can be created and managed in the following ways:

  • Automated tools: Companies can generate SBOMs using tools like CycloneDX, SPDX, Syft or others that integrate into their CI/CS pipelines.
  • Development workflows integration: Developers and security teams can incorporate SBOMs into their regular workflows for continuous monitoring and management.

Why Ortelius?

The Ortelius project is creating a console that enables users to identify vulnerabilities in software systems and provides enhanced visibility into components such as libraries and microservices, utilised within an organisation. It can consume any SPDX and CycloneDX formatted SBOM to help generate and manage a SBOM in several ways:

  • Maps out all microservices with an application, including dependencies and versions.
  • Integrates with DevSecOps processes to automate the generation of SBOMs during the build and deployment stages. By integrating into CI/CD pipelines, it ensures that each release has an updated SBOM. See How Ortelius Collecting SBOM data with SPDX, CycloneDX and Syft for details.
Sample SBOM Working Report

Sample SBOM Working Report

Governments and regulatory bodies are increasingly mandating SBOMs as part of cybersecurity frameworks, especially in critical infrastructure sectors. The U.S. Executive Order 14028 mandates SBOM use to secure the software supply chain (gsa.gov, 2021). The UK National Cyber Security Centre, the Australian Cyber Security Centre and the Canadian Communication Security Establishment also published recommendations for SBOM implementation (Poireault, 2024).The SBOM adoption across industries is also increasing, Gartner estimated a 20% increase in 2022 and over 60% of organisations will adopt it by 2025 (Poireault, 2024). Developers and organisations should start implementing SBOMs in their software development processes to stay ahead of security and compliance challenges.

References

cisa.gov (2024) Software Bill of Materials (SBOM) | CISA. 2024. https://www.cisa.gov/sbom [Accessed: 22 October 2024].

Gittlen, S. (2024). The ultimate guide to SBOMs. [online] GitLab. Available at: https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms/.

gsa.gov (2021) Executive Order 14028: Improving the Nation’s Cybersecurity. 12 May 2021. U.S. General Services Administration. https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028 [Accessed: 23 October 2024].

L, H. (2024) SBOMs and the importance of inventory. 11 September 2024. https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory [Accessed: 22 October 2024].

Poireault, K. (2024) How Organisations Can Leverage SBOMs to Improve Software Security. 14 March 2024. https://www.infosecurityeurope.com/en-gb/blog/regulation-and-policy/how-sboms-improve-software-security.html [Accessed: 23 October 2024].

td-sidebar-nav-active-item">
  • Ortelius News
  • flowchart LR
    
    subgraph orteliusUI[Ortelius Web Frontend]
        direction LR
        h10[Browser: JavaScript, JQuery, JSP]:::type
        d10[Provides all of the Unified Evidence Store\nfuctionality to customers via their\nweb browser]:::description
    end
    orteliusUI:::internalContainer
    
    subgraph orteliusCLI[Ortelius Command Line Interface]
        direction LR
        h20[Python: CLI]:::type
        d20[Provides the ability to add supply chain data\nfrom the CI/CD Pipeline\nto the Unified Evidence Store]:::description
    end
    orteliusCLI:::internalContainer
    
    orteliusUI<--Make API calls to-->nginxReverseProxy
    orteliusCLI<--Make API calls to-->nginxReverseProxy
    nginxReverseProxy<--Forwards API calls to-->msAppTag
    nginxReverseProxy<--Forwards API calls to-->msAppVer
    nginxReverseProxy<--Forwards API calls to-->msCompTag
    nginxReverseProxy<--Forwards API calls to-->msCompVer
    nginxReverseProxy<--Forwards API calls to-->msVulnerability
    nginxReverseProxy<--Forwards API calls to-->msDeployment
    nginxReverseProxy<--Forwards API calls to-->msDepPkg
    nginxReverseProxy<--Forwards API calls to-->msDomain
    nginxReverseProxy<--Forwards API calls to-->msEnvironment
    nginxReverseProxy<--Forwards API calls to-->msGroup
    nginxReverseProxy<--Forwards API calls to-->msTextfile
    nginxReverseProxy<--Forwards API calls to-->msUser
    nginxReverseProxy<--Forwards API calls to-->msUserGroup
    nginxReverseProxy<--Forwards API calls to-->msValidateProvenance
    nginxReverseProxy<--Forwards API calls to-->msValidateSigning
    
    
    subgraph apiApplication[API Application]
        subgraph nginxReverseProxy[NGINX Reverse Proxy]
            direction LR
            h30[Component: NGINX]:::type
            d30[Routes incoming API calls to the correct\n back-end container]:::description
        end
        nginxReverseProxy:::internalComponent
    
        subgraph msAppTag[Application Tagging]
            direction LR
            h40[Component: Tag a Application]:::type
            d40[Microservice that persists/retrieves tags\n for an Application]:::description
        end
        msAppTag:::internalMS
    
        subgraph msAppVer[Application Version]
            direction LR
            h50[Component: Application Version CRUD]:::type
            d50[Microservice that persists/retrieves\n an Application Version]:::description
        end
        msAppVer:::internalMS
    
        subgraph msCompTag[Component Tagging]
            direction LR
            h60[Component: Tag a Component]:::type
            d60[Microservice that persists/retrieves\n tags for a Component]:::description
        end
        msCompTag:::internalMS
    
        subgraph msCompVer[Component Version]
            direction LR
            h70[Component: Component Version CRUD]:::type
            d70[Microservice that persists/retrieves\n a Component Version]:::description
        end
        msCompVer:::internalMS
    
        subgraph msVulnerability[Vulnerability]
            direction LR
            h80[Component: Vulnerability CRUD]:::type
            d80[Microservice that persists/retrieves\n a Vulnerability]:::description
        end
        msVulnerability:::internalMS
    
        subgraph msDeployment[Deployment]
            direction LR
            h90[Component: Deployment CRUD]:::type
            d90[Microservice that persists/retrieves\n for a Deployment]:::description
        end
        msDeployment:::internalMS
    
        subgraph msDepPkg[SBOM CRUD]
            direction LR
            h100[Component: Dependency Package CRUD]:::type
            d100[Microservice that handles the persisting\n SBOM for a Component Version]:::description
        end
        msDepPkg:::internalMS
    
        subgraph msDomain[Domain]
            direction LR
            h110[Component: Domain CRUD]:::type
            d110[Microservice that persists/retrieves\n for a Domain]:::description
        end
        msDomain:::internalMS
    
        subgraph msEnvironment[Environment]
            direction LR
            h120[Component: Environment CRUD]:::type
            d120[Microservice that persists/retrieves\n for an Environment]:::description
        end
        msEnvironment:::internalMS
    
        subgraph msGroup[Group]
            direction LR
            h130[Component: Group CRUD]:::type
            d130[Microservice that persists/retrieves\n for a Group]:::description
        end
        msGroup:::internalMS
    
        subgraph msTextfile[Textfile]
            direction LR
            h140[Component: Text File CRUD]:::type
            d140[Microservice that persists/retrieves\n of License, Readme, and Swagger files]:::description
        end
        msTextfile:::internalMS
    
        subgraph msValidateUser[Validate User]
            direction LR
            h150[Component: Validate User Login]:::type
            d150[Microservice that validates if a user is\n logged in or not]:::description
        end
        msValidateUser:::internalMS
    
        subgraph msUser[User]
            direction LR
            h160[Component: User CRUD]:::type
            d160[Microservice that persists/retrieves\n for a User]:::description
        end
        msUser:::internalMS
    
        subgraph msUserGroup[User Group]
            direction LR
            h170[Component: UserGroup CRUD]:::type
            d170[Microservice that persists/retrieves\n for a UserGroup]:::description
        end
        msUserGroup:::internalMS
    
        subgraph msValidateProvenance[Validate Provenance]
            direction LR
            h180[Component: ValidateProvenance Read]:::type
            d180[Microservice that retrieves Provenance\n for a DepPkg]:::description
        end
        msValidateProvenance:::internalMS
    
        subgraph msValidateSigning[Validate Signing]
            direction LR
            h190[Component: ValidateSigning CRUD]:::type
            d190[Microservice that retrieves Signing\n for a DepPkg]:::description
        end
        msValidateSigning:::internalMS
    
        subgraph msValidateUser[Validate User]
            direction LR
            h200[Component: ValidateUser CRUD]:::type
            d200[Microservice that retrieves Validate User\n for a DepPkg]:::description
        end
        msValidateUser:::internalMS
    
        msAppTag<--Uses-->msValidateUser
        msAppVer<--Uses-->msValidateUser
        msCompTag<--Uses-->msValidateUser
        msCompVer<--Uses-->msValidateUser
        msVulnerability<--Uses-->msValidateUser
        msDeployment<--Uses-->msValidateUser
        msDepPkg<--Uses-->msValidateUser
        msDomain<--Uses-->msValidateUser
        msEnvironment<--Uses-->msValidateUser
        msGroup<--Uses-->msValidateUser
        msTextfile<--Uses-->msValidateUser
        msUser<--Uses-->msValidateUser
        msUserGroup<--Uses-->msValidateUser
        msValidateProvenance<--Uses-->msValidateUser
        msValidateSigning<--Uses-->msValidateUser
    
    end
    
    msAppTag<--Reads from and \n writes to-->dbhandler
    msAppVer<--Reads from and \n writes to-->dbhandler
    msCompTag<--Reads from and \n writes to-->dbhandler
    msCompVer<--Reads from and \n writes to-->dbhandler
    msVulnerability<--Reads from and \n writes to-->dbhandler
    msDeployment<--Reads from and \n writes to-->dbhandler
    msDepPkg<--Reads from and \n writes to-->dbhandler
    msDomain<--Reads from and \n writes to-->dbhandler
    msEnvironment<--Reads from and \n writes to-->dbhandler
    msGroup<--Reads from and \n writes to-->dbhandler
    msTextfile<--Reads from and \n writes to-->dbhandler
    msUser<--Reads from and \n writes to-->dbhandler
    msUserGroup<--Reads from and \n writes to-->dbhandler
    msValidateProvenance<--Reads from and \n writes to-->dbhandler
    msValidateSigning<--Reads from and \n writes to-->dbhandler
    msValidateUser<--Reads from and \n writes to-->dbhandler
    
    
     subgraph dbhandler[Abstraction Layer]
          direction LR
          h6[Python: Abstraction]:::type
          d6[Abstraction Layer]:::description
      end
     dbhandler:::internalContainer
    
      subgraph cache[Arango Cache]
          direction LR
          h6[Database: Arango Cache]:::type
          d6[Cache supply chain information, \n service information, \n SBOMs, etc]:::description
      end
      cache:::internalContainer
    
      subgraph search[Arango Search]
          direction LR
          h6[Database: Arango Cache]:::type
          d6[Cache supply chain information, \n service information, \n SBOMs, etc]:::description
      end
      search:::internalContainer
    
      subgraph nftstorage[NFT Storage]
          direction LR
          h6[IPFS: Nornmalized JSON Storage]:::type
          d6[Stores immutable supply chain information, \n service information, \n SBOMs, etc]:::description
      end
      nftstorage:::internalContainer
    
      subgraph xrpl[XRP Ledger]
          direction LR
          h6[Blockchain: XRP Ledger]:::type
          d6[Stores supply chain information, \n service information, \n SBOMs, etc]:::description
      end
      xrpl:::internalContainer
    
    
    dbhandler<--Reads from and \n writes to-->cache
    dbhandler<--Reads from and \n writes to-->xrpl
    dbhandler<--Reads from and \n writes to-->nftstorage
    dbhandler<--Reads from and \n writes to-->search
    
    %% Element type definitions
    
    classDef internalContainer fill:#1168bd
    classDef internalComponent fill:#4b9bea
    classDef internalMS fill:#4b9bea
    
    classDef type stroke-width:0px, color:#fff, fill:transparent, font-size:12px
    classDef description stroke-width:0px, color:#fff, fill:transparent, font-size:13px