Cycode is excited to announce the immediate availability of our new Software Bill of Materials (SBOM) feature. Cycode SBOM is a complementary technology to our Next-Gen Software Composition Analysis (SCA) solution. SBOMs help organizations provide full transparency into the open source and third-party components that make up their software. Cycode’s SBOM report provides a comprehensive inventory of software components used in organizations’ applications and defines the supply chain relationship between components.
With Cycode SBOM, you can easily create an SBOM with just the click of a button. Furthermore, you can choose to generate an SBOM in either the SPDX or CycloneDX formats:
- SPDX – The Software Package Data Exchange (SPDX) specification is an open standard created by The Linux Foundation. It is now an ISO standard (ISO/IEC 5962:2021). SPDX provides a common format to share important software supply chain data, streamlining and improving compliance, security, and dependability. A wide range of open source and commercial vendors support SBOMs using this format.
- CycloneDX – CycloneDX is a lightweight SBOM standard that originated in the Open Web Application Security Project (OWASP) community. Designed to be a BOM format for a variety of use cases, CycloneDX provides support for integrity verification of the components associated with the BOMs it is used for through hash values and cryptography.
SBOMs can be generated by organization or by repository label, which is based on business logic that many organizations use. All SBOMs can be downloaded in JSON, a lightweight interchange format. Additionally, Cycode can automatically generate SBOMs from repositories or during the CI/CD build process as part of developers’ workflow. Generating SBOMs at the build stage ensures that organizations create the most accurate SBOM possible.
What Is an SBOM?
An SBOM is often described as a list of ingredients that make up your software. The National Telecommunications and Information Administration (NTIA) states, “an SBOM is a formal record containing the details and supply chain relationships of various components used in building software.”
An SBOM identifies all open source and third-party dependencies, including direct and transitive dependencies, used in building your software. In addition, SBOMs detail information about each component such as its name, version number, vendor, license type, and supply chain relationship.
An SBOM is typically used by organizations to track and manage the components that make up their software applications to improve software security and compliance.
Check out this blog to learn more about the minimum requirements of SBOMs.
Why Do You Need an SBOM?
With the increase in recent high-profile attacks, software supply chains have been under greater scrutiny. In May 2021, the US federal government released executive order 14028, Improving the Nation’s Cybersecurity. The executive order mandates that any company selling software to the US federal government (or selling to a company that sells to the federal government) must supply an SBOM. This effectively makes SBOMs a de facto industry standard.
There are many other reasons why you need an SBOM. SBOMs can help organizations better support compliance and reporting requirements by providing a highly detailed asset inventory. They can help you manage your open source security. SBOMs are often used as part of the merger and acquisition due diligence process to provide visibility into the software and solutions that are being purchased.
The bottom line is that SBOMs help you build trust by allowing you to provide your customers with greater visibility and transparency into the components that make up your software. Delivering the most secure software solution possible is always the best option.