SBOM Management

SBOM Management In a Decoupled Architecture

Software bill of materials (SBOM) management strengthens software supply chain transparency and security from generation to import. 

Keep reading to learn how to manage SBOMs generated across DevOps pipelines.

What is SBOM Management?

SBOM management is the process of tracking Software Bill of Material reports as they are generated across the DevOps pipeline. SBOMs provide little benefit when they are left dormant in a build directory where they were generated. Managing SBOMs leverages the data to provide actionable insights for understanding open-source package usage, impact on the supply chain, and real-time vulnerability scanning and reporting.

While it is important to add SBOM generation to your DevOps process, it is the consumption and leveraging of SBOM data that allows for zero-trust policies, vulnerability warning systems, and software supply chain intelligence. Tracking the SBOM data and history provides the insights needed to make actionable decisions about the software you consume.

Why is SBOM Management Important?

SBOM Management is critical in hardening cybersecurity, which is why DeployHub is laser-focused on consuming and leveraging SBOM (Software Bill of Material) data. At the most basic level, SBOM data is needed to determine your software’s common vulnerabilities and exposures (CVEs). In addition, SBOMs provide licensing and provenance information critical to deciding what open-source packages should be excluded from your internal supply chain. SBOM data is the first level of defense from supply chain attacks.

DeployHub is a unified ‘evidence’ catalog for SBOM management, CVE Reporting, and microservice cataloging. DeployHub’s superpower is its ability to aggregate critical security and DevOps intelligence data to all ‘logical’ applications in a decoupled microservices architecture. Using DeployHub you can automate the collection of SBOM data allowing you to put this critical information into action in the form of zero-trust policies and informed decision-making. An SBOM provides no value when it lies dormant in a build directory. DeployHub puts the SBOM to work. 

DeployHub’s SBOM Management acts upon and consolidates your supply chain and DevOps intelligence. It continuously creates a central ‘evidence store’ showing how low-level component changes impact application-level SBOMs and CVEs reports over time. Without a central store for SBOM Management like DeployHub, generating an application-level SBOM in a cloud-native environment is nearly impossible without the toil of manual intervention using spreadsheets that become quickly outdated as new microservices enter the supply chain all day long. 

SBOM Management and SCA Intelligence

In a cloud-native microservices architecture, your SBOMs are generated and managed at the microservice level. Microservices are pushed across your continuous delivery pipeline independently and frequently.

Every time a new microservice is updated, all of the consuming ‘logical applications’ have a new version with a new SBOM and CVE report. Developers, DevOps Engineers, and Security teams struggle to keep up with the changes and cannot easily provide SBOM and CVE reporting for all impacted applications. The result is the absence of governance or a historical audit trail of the changes pushed to end users.

DeployHub’s SBOM management solves this problem by centralizing the ‘evidence store’ data and continuously aggregating the information to the critical level, the ‘logical application.’ DeployHub provides the SBOM management and insights needed to harden the security of your end users’ software. 

SBOM Management at the Logical Application Level

The now famous Log4J security incident spotlighted the need for SBOMs. By interrogating SBOMs, you could easily see if your application depended on a particular Log4J version. In 2022, the Biden Administration mandated that all software consumed by the US Government requires an SBOM with the goal of hardening cybersecurity. Generating a monolithic SBOM during the build process can easily be done to meet this requirement. However, creating an application-level SBOM in a decoupled, cloud-native architecture can be a major headache. Each microservice has its SBOM. To generate an SBOM at the application level, development teams need to understand what versions of microservices they are using and consolidate all SBOMs into a single report.

DeployHub’s central ‘evidence’ catalog aggregates SBOM data to the ‘logical application’ level simplifying this critical reporting step. For each update that is pushed to an end-user, DeployHub provides a report that shows the aggregated SBOM data, with all CVEs, without any manual toil.

Microservice Versions and SBOMs

Microservices are designed to move quickly across the DevOps Pipeline. Each decoupled service has an independent path from development through production. The result is new versions of microservices are created on a high-frequency basis. For each new version of a service, a new SBOM and CVE report is created.

Unique to DeployHub is its method of versioning microservice updates. Each time a service is updated, DeployHub’s SBOM management captures the SBOM data and creates a new version number for the microservice. In addition, DeployHub creates a new version, SBOM, and CVE for all impacted applications. This automated cadence of microservice versioning provides the needed insights for performing difference reports, understanding changes, and hardens cybersecurity with real-time data of what open-source packages are being consumed across the organization. 

Important to understand in a cloud-native architecture is that rapid updates to microservices are common. Every time a microservice update occurs, it impacts every application that consumes it, including a new SBOM and CVE. Your DevOps pipeline will need to automate the collection of this level of data for every change moving across your environments.

SBOM Management and Your CI/CD Pipeline – a Critical Step

DeployHub’s SBOM management integrates into your Continuous Delivery pipeline to monitor microservice updates and capture new SBOM and CVE intelligence. DeployHub’s integration into your DevOps pipeline can add SBOM generation to the process if you are not already creating SBOMs. Adding SBOM generation to your pipeline is a critical step in understanding what open-source software your solutions depend upon. It is also required to know your vulnerabilities and exposures. At this point in time, it is simply not an option. To respond quickly to new vulnerabilities, you must know what you consume.

With DeployHub’s data, you can easily define zero-trust policies, such as stopping a deployment if an underlying component has known vulnerabilities. In addition, DeployHub helps you evolve your pipeline to support a microservices pipeline implementation that includes security actions. 

An Open-Source SBOM Tool

DeployHub is based on the Ortelius open-source project incubating at the Continuous Delivery Foundation.

Signup here

 Free SBOM Tool Sign-up

Signup and Get Started

Get started centralizing all SBOM data with DeployHub’s SaaS SBOM Tool and “evidence catalog.”

Got questions?  Join our Discord channel and start a discussion. Open an issue on GitHub.