A software Bill of Materials (SBOM) is a list of all the open source and third-party components present in a codebase. An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks.

The concept of a software Bill of Materials derives from manufacturing, where a Bill of Materials is an inventory detailing all the items included in a product. In the automotive industry, for example, manufacturers maintain a detailed Bill of Materials for each vehicle. This BOM lists the parts built by the original equipment manufacturer itself and the parts from third-party suppliers. When a defective part is discovered, the auto manufacturer knows precisely which vehicles are affected and can notify vehicle owners of the need for repair or replacement.

Similarly, smart organizations that build software maintain an accurate, up-to-date software Bill of Materials that includes an inventory of third-party and open source components to ensure their code is high-quality, compliant, and secure. (Snyopsys)

Modern software leverages more components as technology resources become democratized. Software developers are able to build software using more 3rd party libraries, open source software and plugins to enable development at speed and increase time to value.

An example is log4j which is a java based logging utility, part of the apache software foundation . Log4j is a powerful logging facility used to monitor and track system calls in web servers (and other tools) to log activities. The code is deeply embedded in systems and tools that we all use every day. It is as ubiquitous as it is obscure.

In December 2021 a vulnerability was discovered in log4j that allowed for hackers to remotely execute commands using the vulnerability. This severity was rated a 10/10 by CISA and was one of the most widespread security vulnerabilities in history, effecting companies such as AWS, VMware and numerous other companies and critical infrastructure.

If a Software Bill of Materials were in use, companies that had log4j could easily identify what assets have the vulnerable component and where it can be found to allow developers to quickly remediate.

SecureState’s SBOM allows developers to list the components of their software in centralized location. The SBOM checks those components against public and private databases and reports any vulnerabilities that exist at the component level of your application.

SecureState uses a combination of automated tools and manual testing to provide a hybrid approach that includes proactive and reactive security testing activities. Our team has decades of cybersecurity experience with some of the largest tech companies including AWS, VMware, Google and Nintendo.

Take the first step to security and schedule a call today!