Software Supply Chain Security
Software Supply Chain Security
What is SBOM Central?
SBOM Central is a cloud solution providing a user-friendly service for managing, monitoring, and sharing your SBOMs. It efficiently identifies and notifies you of vulnerabilities, exploits, and other security concerns while conducting ongoing scans for software updates, licensing compliance, and various health indicators.
On-prem and Air-Gap options are available.
What is an SBOM?
A Software Bill of Materials (SBOM) is a document that lists all the software components that are used in a particular software product or application, including both proprietary and open-source components, as well as their version numbers, dependencies, and origins.
Why are SBOMs important?
SBOMs are essential for strengthening supply chain security, managing software vulnerabilities, ensuring regulatory compliance, and enabling informed decisions in software risk management. In an era of increasing software supply chain attacks, they play a critical role in improving visibility, accountability, and resilience within the cybersecurity ecosystem. SBOMs help organizations mitigate risks and respond proactively to emerging threats by providing a comprehensive inventory of components and dependencies.
News / Blogs
We can now offer SBOM Central as a Nordic cloud cybersecurity solution. We have selected a well-known Nordic cloud service provider that…
In Swedish: Höstens första podd från SIG Security är här! Som vanligt bjuds det på ett aktuellt ämne från en av föreläsningarna…
SBOM Central has now added the capability to generate VEX reports, enhancing its functionality. VEX stands for Vulnerability Exploitability eXchange and is…
T2 Data is a partner at the Swedish conference about Cybersecurity for critical infrastructure. The conference is in Swedish, read more.
Improve your supply chain security with SBOM Central.
Upload SBOMs.
Generate SBOMs at any stage of your development process. Upload each SBOM automatically through the RestAPI and start component identification and security analytics.
You may also upload SBOMs manually through the web interface, or, create SBOMs with the included SBOM tool.
The Artifact Dictionary service will support you when manually creating external artifacts in the Artifact tool.
Analyze and monitor your SBOMs.
SBOM Central performs an in-depth analysis of your SBOMs, delivering real-time insights into their status concerning vulnerabilities, weaknesses, and potential exploits. Additionally, it offers comprehensive component health information, including version details, updates, project activity, licensing, and more.
The service offers continuous monitoring and keeps security and health data for your SBOMs up-to-date. It also provides customizable notifications for specific versions.
You can achieve full traceability for your SBOMs, allowing you to track the evolution of each application and uncover any unexpected dependencies or potential malicious attempts to infiltrate the build process.
Evaluate and prioritize your risk.
Vulnerability prioritization involves identifying vulnerabilities and determining their order of remediation by considering factors like potential consequences, exploitability, and additional contextual information such as asset details, severity, business-criticality, and threat intelligence. The objective is to give priority to addressing high-risk vulnerabilities promptly, while lower-risk ones are addressed in due course, all while aligning with an organization’s unique objectives and risk tolerance.
Recent regulations in both the European Union (EU) and the United States (US) necessitate organizations to implement new policies concerning the disclosure and transparency of software contents. NIS2: ”…. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;” CRA (Cyber Resilience Act): ”Enhance the transparency of security properties of products with digital elements, and enable businesses and consumers to use products with digital elements securely.”
Create automated VEX reports at various stages of your released software. Improve human readability of VEX:es with comprehensive Advisory reports.
SBOM Central has powerful features to automate sharing of SBOMs with selected groups of people and organizations. The shared information may include decisions and real-time status regarding vulnerabilities, exploits, and more.
Read about SBOMs and regulations: the NIS2 Directive, the Cyber Resilience Act, and the US Executive Order on Improving the Nation’s Cybersecurity.
There are several essential use cases for an SBOM:
An SBOM helps organizations identify and manage vulnerabilities in their software supply chain by providing visibility into the components they use. It enables them to identify security risks and apply appropriate mitigations or updates.
SBOMs allow organizations to quickly identify whether they are using vulnerable software and take appropriate actions, such as patching or updating.
By integrating SBOMs into the software development process, developers can make more informed decisions about their components, ensuring that the final product is secure, compliant, and efficient.
During the due diligence process, SBOMs provide valuable insights into a target company’s software assets, helping to identify potential risks, liabilities, and integration challenges.
In a security breach or other incident, an SBOM can help incident responders and security analysts understand the affected components and their relationships, aiding in the investigation and remediation process.
SBOMs help organizations comply with legal and regulatory requirements, including open-source licensing obligations, by providing an auditable record of all software components and their respective licenses.
Who is the typical user of SBOM Central?
SBOM Central aims to deliver a service that is accessible and user-friendly to a wide range of professionals and roles. It strives to offer a highly automated, cost-effective solution with an intuitive user interface. Examples:
DevOps Engineer
DevOps engineers are responsible for developing and deploying software applications. SBOM Central provides services to assess the security of code and applications, ensuring that vulnerabilities are identified and resolved before and after deployment.
Procurement Officer
By requesting an SBOM, procurement officers can upload it to the SBOM Central to enhance their decision-making process, prioritize security and compliance requirements, and mitigate potential risks associated with the software supply chain.
Risk Manager
Risk managers assess and mitigate risks within an organization. They can leverage SBOM Central services to identify and prioritize vulnerabilities based on their potential impact and likelihood of exploitation, helping them make informed decisions on risk mitigation strategies.
Security Analyst
Security analysts play a crucial role in using vulnerability detection services. With SBOM Central they can perform scans, analyze results, and interpret the findings to identify potential vulnerabilities in systems, networks, or applications. They then work on remediation plans or coordinate with other teams to address the identified vulnerabilities.
Compliance Officer
Compliance officers ensure the organization adheres to relevant regulations, industry standards, internal policies, and legal obligations. They may utilize SBOM Central services to assess compliance with security requirements and identify vulnerabilities that may pose compliance risks. It provides transparency into the open-source software components and licenses used, helping officers verify license compliance and avoid legal disputes.