{"id":103,"date":"2023-03-07T07:25:00","date_gmt":"2023-03-07T07:25:00","guid":{"rendered":"https:\/\/cloudtechner.com\/blog\/?p=103"},"modified":"2024-06-13T11:05:21","modified_gmt":"2024-06-13T11:05:21","slug":"sbom-a-way-to-increase-security-transparency-visibility-into-software-supply-chain","status":"publish","type":"post","link":"https:\/\/cloudtechner.com\/blog\/sbom-a-way-to-increase-security-transparency-visibility-into-software-supply-chain\/","title":{"rendered":"SBOM \u2014 A Way to increase Security, Transparency &#038; Visibility into Software Supply chain"},"content":{"rendered":"\n<p>Author: <a href=\"https:\/\/www.linkedin.com\/in\/sandeep070581\">Sandeep Bajpai<\/a>, Senior Architect<\/p>\n\n\n<div class=\"taxonomy-post_tag wp-block-post-terms\"><a href=\"https:\/\/cloudtechner.com\/blog\/tag\/modernization\/\" rel=\"tag\">Modernization<\/a><span class=\"wp-block-post-terms__separator\">, <\/span><a href=\"https:\/\/cloudtechner.com\/blog\/tag\/sbom\/\" rel=\"tag\">SBOM<\/a><span class=\"wp-block-post-terms__separator\">, <\/span><a href=\"https:\/\/cloudtechner.com\/blog\/tag\/software-bill-of-material\/\" rel=\"tag\">Software Bill of Material<\/a><span class=\"wp-block-post-terms__separator\">, <\/span><a href=\"https:\/\/cloudtechner.com\/blog\/tag\/software-inventory\/\" rel=\"tag\">Software Inventory<\/a><span class=\"wp-block-post-terms__separator\">, <\/span><a href=\"https:\/\/cloudtechner.com\/blog\/tag\/software-licenses\/\" rel=\"tag\">Software Licenses<\/a><span class=\"wp-block-post-terms__separator\">, <\/span><a href=\"https:\/\/cloudtechner.com\/blog\/tag\/software-supply-chain\/\" rel=\"tag\">Software Supply Chain<\/a><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p id=\"5c4f\"><strong>\u201c SBOM \u2014 What\u2019s that ? \u201c Don\u2019t worry its not A bomb or A soft bomb \ud83d\ude03\u201d<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/1*XJgZzciSUJQcLAcPkBud5Q.png\" alt=\"\"\/><figcaption class=\"wp-element-caption\">SBOM<\/figcaption><\/figure>\n\n\n\n<p id=\"85fe\">SBOM stands for&nbsp;<strong>Software Bill of Materials<\/strong>. It is a comprehensive inventory of all the components and dependencies that make up a software product. It is essentially a list of all the software components, libraries, and dependencies used in creating a software product, along with their respective versions, license information, and other relevant metadata.<\/p>\n\n\n\n<p id=\"9f6e\"><strong><em>\u201cLets Understand with An Example\u201d<\/em><\/strong><\/p>\n\n\n\n<p id=\"d669\">A Seasoned Project Manager and Technical Architect decided to start building a software product , They created a Team of developers and asked them to develop a module of the product. Development Team starts developing the module and soon they realise that they would need some open source or licensed libraries to be integrated or imported for completing the module functionality. They used the open source modules , packaged and deployed on the test environment. Technical Architect was reviewing the code and identified few lines codes from two different developers<\/p>\n\n\n\n<p id=\"1b3e\">Developer -1 Code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import random<br><br># generate a random number between 1 and 10<br>random_number = random.randint(1, 10)<br><br># print the random number<br>print(\"Random number:\", random_number)<\/code><\/pre>\n\n\n\n<p id=\"84ab\">Developer -2 Code<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import modern<br><br># generate a random number between 1 and 10<br>modern_number = modern.randint(1, 10)<br><br># print the random number<br>print(\"Modern number:\", modern_number)<\/code><\/pre>\n\n\n\n<p id=\"7cca\">Based on above review \u2014 Technical Architect realised that developer-1 and developer 2 imported some libraries and there is possibility of having more modules , libraries , packages which are not getting scanned from their internal security team. Architect asked the Project Manager to collect the the list of Modules\/packages\/libraries used while developing the module.<\/p>\n\n\n\n<p id=\"2514\">Project Manager interacted with Development team and created detailed list (including vendor details , licensing and version) of Software\/Modules\/Packages used to build the Software module. This List is called \u201cSoftware Bill of Material\u201d or SBOM.<\/p>\n\n\n\n<p id=\"5606\"><strong><em>\u201cSBOM \u2014 Is it Important or beneficial to integrate ?\u201d<\/em><\/strong><\/p>\n\n\n\n<p id=\"d1da\">Following are the benefits of creating the SBOM :<\/p>\n\n\n\n<ul>\n<li>Improved Software Supply Chain Security: With the growing number of software supply chain attacks, SBOMs can help in identifying the vulnerabilities and potential risks associated with the use of open source software components. This will help quickly identify and validating the security issue into the software supply chain.<\/li>\n\n\n\n<li>Compliance and Legal Obligations:Many software products uses 3rd party tools\/libraries including open source software components, which come with different types of licenses. SBOMs help in identifying the licenses and other legal obligations associated with each component, which can help in compliance and avoiding legal issues.<\/li>\n\n\n\n<li>Increased Transparency: SBOMs help in providing a comprehensive list of all the software components and dependencies used in creating a software product. This can help in increasing transparency and trust between software vendors and users.<\/li>\n\n\n\n<li>Efficient Patch Management: With an SBOM, software vendors can quickly identify the components that need to be updated or patched .<\/li>\n\n\n\n<li>Better Risk Management: SBOMs can help in identifying the vulnerabilities and potential risks associated with the use of 3rd party tools\/libraries especially open source software components.<\/li>\n<\/ul>\n\n\n\n<p id=\"4abe\"><strong><em>\u201cHow would you create and Manage SBOM for Large and Complex Software Product or Environment ?\u201d<\/em><\/strong><\/p>\n\n\n\n<p id=\"f302\"><strong>Manually \u2026\u2026\u2026 \u267f\ufe0f<\/strong><\/p>\n\n\n\n<p id=\"dbaa\">Creating a Software Bill of Materials (SBOM) for an operating system or Software can be a complex task due to the number of components involved. However, the following steps can be used as a general guide:<\/p>\n\n\n\n<ul>\n<li><em>Identify all the components<\/em>: Identify all the software components and dependencies that make up the operating system, including the kernel, drivers, libraries, applications, and other system software.<\/li>\n\n\n\n<li><em>Gather metadata<\/em>: Gather metadata for each component, including the name, version, license information, and any relevant security or compliance information.<\/li>\n\n\n\n<li><em>Validate the SBOM<\/em>: Validate the SBOM to ensure that all the components and metadata are accurate and complete. This can be done by cross-checking the SBOM against the actual software components used in the operating system.<\/li>\n\n\n\n<li><em>Publish the SBOM<\/em>: Publish the SBOM in a standardized format such as SPDX, CycloneDX, or SWID, and make it available to stakeholders such as software vendors, users, and regulators.<\/li>\n\n\n\n<li><em>Maintain the SBOM<\/em>: Maintain the SBOM by updating it regularly as new software components are added or removed from the operating system.<\/li>\n<\/ul>\n\n\n\n<p id=\"0c34\"><strong>Automatically \u2026 \ud83e\udd16<\/strong><\/p>\n\n\n\n<ul>\n<li><em>Use automated tools<\/em>: Use automated tools to scan the operating system , filesystems or docker-image and generate a list of components and metadata. There are various open source and commercial tools available that can help in creating an SBOM. Below Are some tools to generate SBOM automatically :<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p id=\"25fb\">FOSSology<\/p>\n\n\n\n<p id=\"c2a1\">WhiteSource<\/p>\n\n\n\n<p id=\"aa2b\">Sonatype Nexus<\/p>\n\n\n\n<p id=\"f64e\">CycloneDX<\/p>\n\n\n\n<p id=\"6ffe\">Syft<\/p>\n<\/blockquote>\n\n\n\n<p id=\"93b6\">Creating an SBOM for an operating system requires identifying all the components, gathering metadata, using automated tools, validating the SBOM, publishing it in a standardized format, and maintaining it regularly.<\/p>\n\n\n\n<p id=\"7990\"><strong><em>\u201cLet us take an example to walk through the SBOM creation process Using Syft Tool \u201c<\/em><\/strong><\/p>\n\n\n\n<p id=\"66ed\">Suppose you have a Linux Machine and You want to generate a SBOM for the server . The process is straight forward<\/p>\n\n\n\n<p id=\"9f62\">a) Install the Tool<\/p>\n\n\n\n<p id=\"e7a0\">b) Run the Tool.<\/p>\n\n\n\n<p id=\"d679\">Lets make it more easy for you \u2014 Below is script to generate the SBOM for a specific filesystem on your Linux Operating System :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#\/bin\/bash<br><br># Check if syft is already installed<br>syft version<br>if &#91; $? -ne 0 ]<br>then<br> echo \"Syft is not installed. Installing Syft Now....\"<br> curl -sSfL https:\/\/raw.githubusercontent.com\/anchore\/syft\/main\/install.sh | sh -s -- -b \/usr\/local\/bin<br>else<br> echo \"Syft is installed\"<br> syft version<br>fi<br><br># Check if JQ is already installed ( Optional - For Future Use casses )<br>jq --version<br>if &#91; $? -ne 0 ]<br>then<br>        echo \"JQ is not installed. Installing JQ Now....\"<br> yum install -y jq<br>else<br>        echo \"JQ is installed\"<br>fi<br><br>#Generate SBOM for specific filesystem<br><br> echo Generating SBOM ...<br> syft dir:\/opt -o cyclonedx-xml --file \/opt\/sbom\/output\/sbom-raw-opt.xml<\/code><\/pre>\n\n\n\n<p id=\"0dcc\"><strong><em>\u201cYour SBOM is Ready \u2026 Whats Next ?\u201d<\/em><\/strong><\/p>\n\n\n\n<p id=\"786f\">Your SBOM is ready \u2014 Lets Inject it into \u201cContinuous SBOM Analysis Platform\u201c , One of them is&nbsp;<a href=\"https:\/\/dependencytrack.org\/\" rel=\"noreferrer noopener\" target=\"_blank\">Dependency Track<\/a>&nbsp;.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/miro.medium.com\/v2\/resize:fit:1400\/1*vvpo7W59uPRDoaSS5xyhaA.png\" alt=\"\"\/><figcaption class=\"wp-element-caption\">SBOM Generation &amp; Injection into SBOM Analysis Platform<\/figcaption><\/figure>\n\n\n\n<p id=\"fb01\">Want to Learn More About&nbsp;<strong>SBOM Analysis Platform<\/strong>&nbsp;, Wait for my next Blog.<\/p>\n\n\n\n<p id=\"0425\"><strong><em>\u201cFew other use cases\u201d<\/em><\/strong><\/p>\n\n\n\n<p id=\"0822\">Who doesn\u2019t like \ud83c\udf52 on \ud83c\udf70 \u2014 Here are some other use-cases of SBOM:<\/p>\n\n\n\n<ul>\n<li>Just pretend that you got a Cloud Migration project from a client . You have to plan application migration from On-Premise to Public Cloud or vice-versa . You Just have to scan the Application code and Infrastructure using SBOM generators tool and whole list of Packages, Builds,Libraries and dependencies available.<\/li>\n\n\n\n<li>Your CXO team asked you to provide list of OpenSource vs Licensed tools used in your software supply chain \u2014 SBOM can do a magic here.<\/li>\n<\/ul>\n\n\n\n<p id=\"5c73\"><strong><em>Conclusion<\/em><\/strong><\/p>\n\n\n\n<p id=\"db8e\">The purpose of creating an SBOM is to increase transparency and visibility into the software supply chain. It helps software vendors and users understand the security posture , dependencies and possible risks of a software product, identify potential vulnerabilities and compliance issues, and track the usage of open source components.<\/p>\n\n\n\n<p id=\"41bf\">SBOMs are becoming increasingly important in the software industry, particularly in the context of cybersecurity and software supply chain security. The National Telecommunications and Information Administration (NTIA) and other industry groups are promoting the adoption of SBOMs as a best practice for improving software security and supply chain transparency.<\/p>\n\n\n\n<p id=\"434d\"><strong><em>Reference<\/em><\/strong><\/p>\n\n\n\n<p id=\"6ccc\"><a href=\"https:\/\/www.ntia.doc.gov\/files\/ntia\/publications\/sbom_minimum_elements_report.pdf\" rel=\"noreferrer noopener\" target=\"_blank\"><strong>NTIA Guidelines<\/strong><\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/medium.com\/@sandeep_83150?source=post_page-----aaf5df1da5ed--------------------------------\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author: Sandeep Bajpai, Senior Architect \u201c SBOM \u2014 What\u2019s that ? \u201c Don\u2019t worry its not A bomb or A soft bomb \ud83d\ude03\u201d SBOM stands for&nbsp;Software Bill of Materials. It&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,49],"tags":[41,44,45,47,46,48],"_links":{"self":[{"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/posts\/103"}],"collection":[{"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/comments?post=103"}],"version-history":[{"count":2,"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/posts\/103\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/posts\/103\/revisions\/146"}],"wp:attachment":[{"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/media?parent=103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/categories?post=103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudtechner.com\/blog\/wp-json\/wp\/v2\/tags?post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}