SBOM Management

Why is SBOM Management Important?

SBOM Management is critical in hardening cybersecurity, which is why DeployHub is laser-focused on consuming and leveraging SBOM (Software Bill of Material) data. At the most basic level, SBOM data is needed to determine your software’s common vulnerabilities and exposures (CVEs). In addition, SBOMs provide licensing and provenance information critical to deciding what open-source packages should be excluded from your internal supply chain. SBOM data is the first level of defense from supply chain attacks.

DeployHub is a unified ‘evidence’ catalog for SBOM management, CVE Reporting, and microservice cataloging. DeployHub’s superpower is its ability to aggregate critical security and DevOps intelligence data to all ‘logical’ applications in a decoupled microservices architecture. Using DeployHub you can automate the collection of SBOM data allowing you to put this critical information into action in the form of zero-trust policies and informed decision-making. An SBOM provides no value when it lies dormant in a build directory. DeployHub puts the SBOM to work. 

DeployHub’s SBOM Management acts upon and consolidates your supply chain and DevOps intelligence. It continuously creates a central ‘evidence store’ showing how low-level component changes impact application-level SBOMs and CVEs reports over time. Without a central store for SBOM Management like DeployHub, generating an application-level SBOM in a cloud-native environment is nearly impossible without the toil of manual intervention using spreadsheets that become quickly outdated as new microservices enter the supply chain all day long. 

DeployHub’s SBOM management solves this problem by centralizing the ‘evidence store’ data and continuously aggregating the information to the critical level, the ‘logical application.’ DeployHub provides the SBOM management and insights needed to harden the security of your end users’ software. 

SBOM Management at the Logical Application Level

The now famous Log4J security incident spotlighted the need for SBOMs. By interrogating SBOMs, you could easily see if your application depended on a particular Log4J version. In 2022, the Biden Administration mandated that all software consumed by the US Government requires an SBOM with the goal of hardening cybersecurity. Generating a monolithic SBOM during the build process can easily be done to meet this requirement. However, creating an application-level SBOM in a decoupled, cloud-native architecture can be a major headache. Each microservice has its SBOM. To generate an SBOM at the application level, development teams need to understand what versions of microservices they are using and consolidate all SBOMs into a single report.

DeployHub’s central ‘evidence’ catalog aggregates SBOM data to the ‘logical application’ level simplifying this critical reporting step. For each update that is pushed to an end-user, DeployHub provides a report that shows the aggregated SBOM data, with all CVEs, without any manual toil.

Microservice Versions and SBOMs

Microservices are designed to move quickly across the DevOps Pipeline. Each decoupled service has an independent path from development through production. The result is new versions of microservices are created on a high-frequency basis. For each new version of a service, a new SBOM and CVE report is created.

Unique to DeployHub is its method of versioning microservice updates. Each time a service is updated, DeployHub’s SBOM management captures the SBOM data and creates a new version number for the microservice. In addition, DeployHub creates a new version, SBOM, and CVE for all impacted applications. This automated cadence of microservice versioning provides the needed insights for performing difference reports, understanding changes, and hardens cybersecurity with real-time data of what open-source packages are being consumed across the organization. 

Important to understand in a cloud-native architecture is that rapid updates to microservices are common. Every time a microservice update occurs, it impacts every application that consumes it, including a new SBOM and CVE. Your DevOps pipeline will need to automate the collection of this level of data for every change moving across your environments.

SBOM Management and Your CI/CD Pipeline – a Critical Step

DeployHub’s SBOM management integrates into your Continuous Delivery pipeline to monitor microservice updates and capture new SBOM and CVE intelligence. DeployHub’s integration into your DevOps pipeline can add SBOM generation to the process if you are not already creating SBOMs. Adding SBOM generation to your pipeline is a critical step in understanding what open-source software your solutions depend upon. It is also required to know your vulnerabilities and exposures. At this point in time, it is simply not an option. To respond quickly to new vulnerabilities, you must know what you consume.

With DeployHub’s data, you can easily define zero-trust policies, such as stopping a deployment if an underlying component has known vulnerabilities. In addition, DeployHub helps you evolve your pipeline to support a microservices pipeline implementation that includes security actions. 

An Open-Source SBOM Tool

DeployHub is based on the Ortelius open-source project incubating at the Continuous Delivery Foundation.

Signup and Get Started

Get started centralizing all SBOM data with DeployHub’s SaaS SBOM Tool and “evidence catalog.”

Got questions?  Join our Discord channel and start a discussion. Open an issue on GitHub.

Further Reading on Supply Chain Security:

• • Application Security Best Practices for Your DevOps Pipeline
  • SBOM Automation
  • SBOM Consumption and Using the Data
  • Software Supply Chain Risk Management
  • Microservice Catalogs Explored
  • Consolidated Software Composition Analysis

Get Started – Give DeployHub a Try: 

• Free Microservice Dashboard