New Tool Aims to Simplify and Streamline SBOM Adoption – Source: www.databreachtoday.com

Software Bill of Materials (SBOM)
,
Standards, Regulations & Compliance

OpenSSF Partners With DHS and CISA to Launch Global Software Supply Chain Project

Chris Riotta (@chrisriotta) •
April 16, 2024    

A new tool backed by the U.S. federal government amid a push to increase industry uptake of software bills of materials promises to help federal agencies and private sector firms adopt comprehensive inventory lists that can aid in rapidly detecting and mitigating critical vulnerabilities.

See Also: OnDemand | Cutting Through the Hype: What Software Companies Really Need from ASPM

Software bills of materials list all the ingredients that make up software components and are often described as a key building block in software supply chain risk management. Agencies have struggled in recent years to comply with new SBOM mandates, citing a lack of resources and technical expertise needed to generate, read and share software inventories for federal systems, which often involve complex and multifaceted supply chains (see: CISA’s New SBOM Guidance Faces Implementation Challenges).

On Tuesday, the Open Source Security Foundation announced its partnership with the top U.S. cyber agency and the Department of Homeland Security Science and Technology Directorate to develop a solution. Protobom, a global software supply chain open-source project, can be integrated into a wide variety of applications to translate SBOMs into various data formats and identification schemes.

Protobom “is a step toward greater efficiency and interoperability,” according to CISA senior adviser Allan Friedman, who said in a statement that the program can translate SBOMs “across the widely used formats so that tools and organizations can focus on what’s important.”

The project will be a free resource that can be integrated into applications that link SBOM information with public records on known vulnerabilities to provide real-time information on available patches and mitigations, according to a press release.

Omkhar Arasaratnam, general manager of OpenSSF, said in a statement that Protobom “not only simplifies SBOM creation, but also empowers organizations to proactively manage the risk of their open-source dependencies.”

Protobom can be integrated into commercial and open-source applications through a format-neutral data layer on top of the standards, which allows applications to work seamlessly with any type of SBOM format, according to OpenSSF.

Protobom is the result of CISA and DHS funding a cohort of seven startups – including Manifest Cyber, Chainguard Inc., TestifySec and Veramine, among others – to develop the global open-source project.

Melissa Oh, program managing director of the DHS Science and Technology Directorate’s Silicon Valley Innovation Program, said in a statement that the agency “is tapping into the startup community to develop technology that will shine a light on risks within supply chains and bolster the overall cybersecurity of organizations.”