DeployHub Consumes SBOM Data
Aggregating SBOM Data for Federated Reporting and Actionable Results
DeployHub federates and leverages Software Bill of Materials (SBOM) data from each piece of software in your supply chain, providing sweeping organizational views of where a particular software component is used and where it is running. DeployHub’s open source software supply chain security platform provides IT teams with the intelligence needed to contain a critical hack quickly by exposing where open source inventory is running across multiple environments. The core problem is that SBOM data is fragmented across hundreds of components, causing IT teams to struggle to address the vulnerability quickly. Instead, IT teams spend critical time searching for and interrogating hundreds of SBOMs for the needed information. SBOM’s provide little use sitting in a text file under the build directory or even stored in Git as a historical record. DeployHub makes SBOMs useful by consuming and exposing the data to be easily acted upon.
Federating all SBOM Data with DeployHub
DeployHub’s software supply chain management catalog federates SBOM data and continuously aggregates the information to the critical level, the ‘logical Application.’ DeployHub provides the insights needed to harden the security of end-user software by providing key insights into what is being delivered. DeployHub’s platform provides a view into each Component Version’s SBOM and rolls that information up to each “logical’ Application Version’s SBOM, even in decoupled architectures.
DeployHub Helps Organizations Meet Executive Order 14028
To meet the Biden Administration’s 2022 SBOM order, teams must deliver an SBOM that aggregates all application component dependencies’ SBOMs to the logical application-level every time a change is delivered. Achieving this level of SBOM reporting means the DevOps pipeline must automatically track the ‘logical’ application and create an application release version, SBOM, and CVE for each change.
DeployHub’s aggregated SBOM reports provide normalized, detailed information about each component a logical application uses. At a minimum, for each component, the aggregated report includes:
- component’s name
- supplier name
- other unique identifiers
- open-source dependencies
- author of the SBOM data
SBOM Key Concepts
SBOM automation automatically generates a list of all software components, libraries, and dependencies that make up a software application as part of your DevOps Pipeline and then consuming the data.
Demo - Application SBOMs
Start Consuming Your SBOM Insights Today
The core problem of SBOMs is the data is not consumed. SBOM’s provide little use sitting in a text file under the build directory or even stored in Git as a historical record. Most SBOM data is fragmented across hundreds of components, causing IT teams to struggle to address open source vulnerabilities fully and quickly. This article explores the concepts of SBOM consumption.
Aggregating SBOM data to the ‘logical’ Application level is required if you need to produce an Application SBOM in a decoupled architecture. Learn how DeployHub provides aggregated SBOM reports from hundreds of component SBOMs.
- Software Supply Chain Management Catalogs Explored Whitepaper
- Federated Application Security Intelligence
- Software Supply Chain Management
- Supply Chain Versioning with Historical Trends
- Component Impact and Blast Radius
- Logical Application Views in a Decoupled Architecture
- Federated Software Composition Analysis Data