SBOM Key Concepts

Managing SBOMs Across The Pipeline

Managing SBOM data across Components, Applications, and Organizational Silos

What is SBOM Management?

SBOM management is the process of tracking Software Bill of Material reports as they are generated across the DevOps pipeline. SBOMs provide little benefit when they are left dormant in a build directory where they were generated. Managing SBOMs leverages the data to provide actionable insights for understanding open-source package usage, impact on the supply chain, and real-time vulnerability scanning and reporting.

Why is SBOM Management Important?

SBOM Management is critical in hardening cybersecurity, so DeployHub is laser-focused on managing SBOMs( Software Bill of Materials). At the most basic level, SBOM data is needed to determine your software’s common vulnerabilities and exposures (CVEs). In addition, SBOMs provide licensing and provenance information critical to deciding what open-source packages should be excluded from your internal supply chain. Managing the SBOMs that are generated is the first level of defense from supply chain attacks.

While adding SBOM generation to your DevOps process is important, managing the resulting SBOM data is critical for defining zero-trust policies, vulnerability warning systems, and software supply chain intelligence. SBOM data left under the build directories is not useful and cannot create actionable results. DeployHub puts the SBOM to work. Managing the SBOM data and historical changes over time provides the insights needed to make data-driven decisions about the software you deliver to end users. 

DeployHub is a software supply chain management catalog that consumes SBOMs and leverages the data. DeployHub’s superpower is its ability to aggregate critical security and DevOps intelligence data to all ‘logical’ applications in a decoupled architecture. DeployHub’s SBOM Management acts upon and consolidates your supply chain and DevOps intelligence. It continuously creates a central ‘evidence store’ showing how low-level component changes impact application-level SBOMs and CVEs reports over time. Without a central software supply chain catalog to manage SBOMs, generating an application-level SBOM in a cloud-native environment is nearly impossible.

SBOM Management at the Logical Application Level

The now famous Log4J security incident spotlighted the need for SBOMs. By interrogating SBOMs, you could easily see if your application depended on a particular Log4J version. In 2022, the Biden Administration mandated that all software consumed by the US Government requires an SBOM with the goal of hardening cybersecurity. Generating a monolithic SBOM during the build process can easily be done to meet this requirement. However, creating an application-level SBOM in a decoupled, cloud-native architecture can be a major headache. Each component has its SBOM. To generate an SBOM at the application level, development teams need to understand what versions of a component they are using and consolidate all SBOMs into a single report. DeployHub’s software supply chain management catalog aggregates SBOM data to the ‘logical application’ level, simplifying this critical reporting step. For each update that is pushed to an end-user, DeployHub provides a report that shows the aggregated SBOM data, with all CVEs, without any manual toil.

Component Versions and SBOMs

A decoupled architecture is designed to move updates quickly across the DevOps Pipeline. Each decoupled component has an independent path from development through production. The result is new versions of independent components are created on a high-frequency basis. A new SBOM and CVE report is created for each new component version.

Unique to DeployHub is its method of versioning component updates. Each time a service is updated, DeployHub’s SBOM management captures the SBOM data and creates a new version number for the component. In addition, DeployHub creates a new version, SBOM, and CVE for all impacted applications. This automated cadence of component versioning provides the needed insights for performing difference reports, understanding trends, and hardening cybersecurity. With real-time data, DeployHub exposes what open-source packages, third party components, and shared internal components are being consumed across the organization. 

Important to understand in a cloud-native architecture is that rapid updates to components are common. Every time a component update occurs, it impacts every application that consumes it, including a new SBOM and CVE. Your DevOps pipeline will need to automate the collection of this level of data for every change moving across your environments.

SBOM Management and Your CI/CD Pipeline – a Critical Step

DeployHub’s SBOM management integrates into your Continuous Delivery pipeline to monitor independently deployed component updates and capture new SBOM and CVE intelligence. DeployHub’s integration into your DevOps pipeline can add SBOM generation to the process if you are not already creating SBOMs. Adding SBOM generation to your pipeline is a critical step in understanding what open-source software your solutions depend upon. It is also required to know your vulnerabilities and exposures. At this point in time, it is simply not an option. To respond quickly to new vulnerabilities, you must know what you consume.

With DeployHub’s data, you can easily define zero-trust policies, such as stopping a deployment if an underlying component has known vulnerabilities. 

Supply Chain Evidence Store

Conclusion

Generating SBOMs for each component delivered to end users is critical. However, generating an Application SBOM in a decoupled environment is somewhat impossible. Each ‘logical’ Application could have hundreds of SBOMs that change daily. To capture an application level SBOM, DeployHub snapshots component configuration data, including SBOMs, continuously creating new ‘logical’ application versions to represent the aggregated whole. Application level SBOMs are available for each release with no extra effort from IT Teams.

DeployHub Makes it Easy to Consume, Manage and View SBOM Data

DeployHub federates and leverages Software Bill of Materials (SBOM) data from each piece of software in your supply chain, providing sweeping organizational views of where a particular software component is used and where it is running.

Learn More

Start Managing SBOMs Across the DevOps Pipeline Today

Signup for DeployHub Team and Start Managing SBOMs in a Central Evidence Store for Free

Signup for DeployHub Team, the free SaaS software supply chain security platform. DeployHub Team is based on the Ortelius Open-Source project incubating at the Continuous Delivery Foundation.

Signup Today

Learn More - SBOM Key Concepts

SBOM Automation

SBOM automation automatically generates a list of all software components, libraries, and dependencies that make up a software application as part of your DevOps Pipeline and then consuming the data.

SBOMs and Cybersecurity

SBOMs play a key role in solving the cybersecurity challenge. Learn why generating SBOMs is essential to harden the software supply chain.

SBOM Consumption

SBOM consumption is the process of analyzing and utilizing the data contained within an SBOM document.

Understanding SBOMs

Software Bill of Material has finally been recognized as an essential tool in the security toolbox. In this article, we review what to know about Software Bill of Materials.

SBOM Requirements

Learn the US Government’s SBOM requirements and how DeployHub can generate a federated SBOM in a decoupled environment to meet the standards.

Suggested Whitepaper

Aggregating SBOM data to the ‘logical’ Application level is required if you need to produce an Application SBOM in a decoupled architecture. Learn how DeployHub provides aggregated SBOM reports from hundreds of component SBOMs.

Get the Whitepaper

SBOMs in a decoupled architecture

Further Reading