Cloud Native Islamabad

The Role of Software Bill of Material (SBOM) in Secure Development

fatima abid's photo
fatima abid
·

5 min read

1_nIvi--sju8ejFXpjy52SYg.jpeg The SBOM is a list of software components, including open-source and third-party software parts. The goal for the developer is to ensure that those components are up to date and respond rapidly to new vulnerabilities. SBOM is useful for supply chain cyber defense as they allow firms to respond quickly to new vulnerabilities.

Writing secure applications, however, requires more than simply verifying your code for logical and technical problems. Attackers are increasingly focusing on flaws in third-party libraries. Therefore, you must also evaluate the security of all the dependencies and components.

Why Is SBOM Used?

1_iYCjGfcmEeNb6CLTmPnrnA.jpeg SBOM could be used in a variety of ways, such as;

  • License requirements and policy adherence
  • It can help developers debloat their software by detecting the BOM and eliminating unwanted items, or it can be used for quality assurance.
  • Early detection and elimination of vulnerabilities.
  • The goal is to ensure that components are up to date and to respond rapidly to new vulnerabilities.

There are several artifacts that can provide information on the SBOM, and this data can be combined and used collectively to offer security insights. These artifacts could be source code, executables, published software, or containers in the context of DevOps.

When it comes to security, it’s essential to understand every aspect of the system. You can monitor each component using the detailed list of components provided by SBOM to find out vulnerabilities.

Risk Management

SBOM is beneficial for both; the software application developer and the client. Developers frequently use open source and third-party software components to develop a product; SBOM enables the developer to keep those components up to date and respond quickly to new vulnerabilities. The client uses SBOM to do vulnerability or license analysis to assess the risk of a product.

SBOM is a basic requirement for many firms that R&D must learn to properly integrate into their Software Development Life Cycle (SDLC) to attest to:

Security Issue: When running software apps, component vulnerabilities shouldn’t offer a serious security concern.

License Compliance: The overall license of a software application should not be affected by the individual license of components.

Maintainance: Each component should have a track record of being well-maintained and up-to-date.

SBOM Generation Through Configuration File

The ActiveState Platform’s GraphQL API enables programmatic access to precise information about the runtime environment for your software applications.

1_yGf--81xkJD7j4FDheBF5g.jpeg

Your Python, Perl, or Ruby application’s configuration file will allow you to:

  1. Create a runtime environment on demand.
  2. Make an SBOM for that runtime using the GraphQL API that displays:
  3. Software’s author
  4. Version of the component
  5. Name of the component
  6. Relationship among components

  7. License of component

    Here is the video that explains the generation of SBOM step by step.

https://youtu.be/MDggHOeEzRg

SBOM Formats

A new SBOM can be developed and published in HTML, CSV, PDF, Markdown, and plain text forms. Software Package Data Exchange (SPDX), Software Identification (SWID) Tags, and Cyclone DX are SBOM formats. A new SBOM can be developed and published in HTML, CSV, PDF, Markdown, and plain text forms. Software Package Data Exchange (SPDX), Software Identification (SWID) Tags, and Cyclone DX are SBOM formats.

We’ll concentrate on CycloneDX because it’s the most recent, lightweight, and focuses on software security use cases.

CycloneDX

CycloneDX is an OWASP-supported software bill of materials format. CycloneDX is an extremely lightweight software bill of materials format that represents all direct and transitive dependencies. CycloneDX provides a variety of tool sets for generating SBOM from a variety of programming language projects. ie. Java, Python, Node, etc

Data fields of cyclone dx:

  • BOM Data: Supplier, manufacturer, component, and compilation tool descriptions
  • Components: Complete details on proprietary and open-source components, as well as license requirements.
  • Services: A list of external APIs that the software may use.
  • Dependencies: the relationship that exists inside the supply chain.

Among the possible use cases are;

  • Analysis of Vulnerabilities (software and hardware)
  • Component analysis that is not updated
  • Identification of licenses and compliance
  • Document a component’s pedigree, including ancestors, descendants, variants, and commits.
  • Analyze modified open source libraries

  • File verification

    Generate an SBOM with Free Open Source Tools

    Select SBOM generation tool The following are some of the more popular SBOM tools:

  • Syft by Anchore
  • Tern
  • Kubernetes BOM tool
  • spdx-sbom-generator

Getting Syft

We’ll concentrate on Syft because it’s simple to use in many scenarios. Curl is the recommended way for getting Syft for macOS and Linux:

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b <SOME_BIN_PATH> <RELEASE_VERSION>

From the GitHub releases page, you may download Syft binaries for many platforms, including Windows.

There is also a Syft Docker image with every release

docker run -it --rm anchore/syft <args>

Simply execute the following command to ensure syft has been installed

syft version

you will get output like this:

Application:        syft
Version:            0.43.2
JsonSchemaVersion:  3.2.2
BuildDate:          2022-04-06T21:49:04Z
GitCommit:          e415bb21e7a609c12dc37a2d6395796fb675e3fe
GitDescription:     v0.43.2
Platform:           linux/amd64
GoVersion:          go1.18
Compiler:           gc

Generate SBOM

Generating your first SBOM is simple once you have Syft. Syft allows you to scan numerous sources, including the local filesystem and container images.

Scanning images

SBOM for docker can be created by using the following command.

syft <image>

Use the -scope all-layers option to include software from all image layers in the SBOM.

syft --scope all-layers <image>

Scanning Filesystem

Use the dir: and file: prefixes with either absolute or relative paths to build an SBOM for the local filesystem.

syft dir:.

For a specific file, use the following command.

syft file:/my-go-binary

Choose SBOM format

Use a CycloneDX format option if you need to generate an SBOM in CycloneDX format.

syft <source> -o cyclonedx-xml

Reference

[1] How to Generate an SBOM with Free Open Source Tools

[2] What is a software bill of materials?

[3] SBOM formats SPDX and CycloneDX compared

Devopssbomcloud nativesoftware developmentsoftware-supply-chain-security