Software Bill of Material (SBOM) Tools and CVEs Aggregated to the Logical Application

 

SBOM tools and Cybersecurity

SBOM tools are critical in hardening cybersecurity, which is why DeployHub is laser-focused on consuming and leveraging SBOM data. DeployHub is a unified ‘evidence’ catalog for tracking microservice SBOM information. DeployHub’s superpower is its ability to aggregate this critical data to all ‘logical application’ versions, even in a decoupled microservices architecture. Using DeployHub’s SBOM tool, you automate the collection of SBOM data allowing you to put this critical information into action in the form of zero-trust policies and informed decision-making. An SBOM provides no value when it lies dormant in a build directory. DeployHub puts the SBOM to work. 

DeployHub acts upon and consolidates your supply chain and DevOps intelligence. It continuously creates a central ‘evidence store’ showing how low-level component changes impacts application level SBOMs and CVEs reports over time. Without an SBOM tool like DeployHub, generating an application-level SBOM in a cloud-native environment is nearly impossible without the toil of manual intervention using spreadsheets that become quickly outdated as new microservices enter the supply chain all day long. 

DeployHub Centralizes SBOM and SCA Intelligence

In a cloud-native microservices architecture, your SBOMs are generated and managed at the microservice level. Microservices are pushed across your continuous delivery pipeline independently and frequently. Every time a new microservice is updated, all of the consuming ‘logical applications’ have a new version with a new SBOM and CVE report. Developers, DevOps Engineers, and Security teams struggle to keep up with the changes and cannot easily provide SBOM and CVE reporting for all impacted applications. The result is the absence of governance, or a historical audit trail of the changes pushed to end users.

DeployHub’s SBOM tool solves this problem by centralizing the ‘evidence store’ data and continuously aggregating the information to the critical level, the ‘logical application.’ DeployHub provides the insights needed to harden the security of the software your end users consume. 

Aggregating Your Logical Application SBOM

The now famous Log4J security incident spotlighted the need for SBOMs. By interrogating SBOMs, you could easily see if your application depended on a particular Log4J version. In 2022, the Biden Administration mandated that all software consumed by the US Government requires an SBOM with the goal of hardening cybersecurity. Generating a monolithic SBOM during the build process can easily be done to meet this requirement. However, creating an application-level SBOM in a decoupled, cloud-native architecture can be a major headache. Each microservice has its SBOM. To generate an SBOM at the application level, development teams need to understand what versions of microservices they are using and consolidate all SBOMs into a single report.

DeployHub’s central ‘evidence’ catalog aggregates SBOM data to the ‘logical application’ level simplifying this critical reporting step. For each update that is pushed to an end-user, DeployHub provides a report that shows the aggregated SBOM data, with all CVEs, without any manual toil.

Aggregated Application SBOM and CVE

Microservice Versions and SBOMs

Microservices are designed to move quickly across the DevOps Pipeline. Each decoupled service has an independent path from development through production. The result is new versions of microservices are created on a high-frequency basis. For each new version of a service, a new SBOM and CVE report is created. Unique to DeployHub is its method of versioning microservice updates. Each time a service is updated, DeployHub’s SBOM tool captures the SBOM data and creates a new version number for the microservice. In addition, DeployHub creates a new version, SBOM, and CVE for all impacted applications. This automated cadence of microservice versioning provides the needed insights for performing difference reports, understanding changes, and hardens cybersecurity with real-time data of what open-source packages are being consumed across the organization. 

Component Versioning

SBOM Tools and Your CI/CD Pipeline – a Critical Step

DeployHub’s SBOM tool integrates into your Continuous Delivery pipeline to monitor microservice updates and capture new SBOM and CVE intelligence. DeployHub’s integration into your DevOps pipeline can add SBOM generation to the process if you are not already creating SBOMs. Adding SBOM generation to your pipeline is a critical step in understanding what open-source software your solutions depend upon. It is also required for knowing your vulnerabilities and exposures. At this point in time, it is simply not an option. To respond quickly to new vulnerabilities, you must know what you consume.

With DeployHub’s data, you can easily define zero-trust policies, such as stopping a deployment if an underlying component has known vulnerabilities. In addition, DeployHub helps you evolve your pipeline to support a microservices pipeline implementation that includes security actions. 

DeployHub and Continuous Delivery

DeployHub and Continuous Delivery

An Open-Source SBOM Tool

DeployHub is based on the Ortelius open-source project incubating at the Continuous Delivery Foundation.

Signup here

 Free SBOM Tool Sign-up

Signup and Get Started

Get started centralizing all SBOM data with DeployHub’s SaaS SBOM Tool and “evidence catalog.”

Got questions?  Join our Discord channel and start a discussion. Open an issue on GitHub.