Why an SBOM is an essential list of ingredients and not a four-letter word

Why an SBOM is an essential list of ingredients and not a four-letter word

If you’re a developer, security pro, or IT leader – did you know that a staggering 85-90% of your software’s DNA is woven with open source and third-party strands, sourced from the vast unknown?

But beware, the rulebook has changed—new laws are in play, governing the very core of your creations. Stay informed, stay ahead, stay compliant. The future of your code depends on it.

We have an answer for you: SBOMs and using JFrog X-Ray to make it all very easy. “Cover your back *and* sleep at night?” Where do I sign?”

As Bill Manning of JFrog bluntly put it at a recent JFrog conference: "Without an SBOM, deploying software is like taking a thumb drive off the street and plugging it into production!"

This article is based on the key points in Bill’s SwampUp 2023 presentation. We weave them into a SJULTRA client discussions around SBOMs and secure software supply chains, with IT leaders, security pros, and developers. 

In customer calls we often get questions like:

  • Is this a priority?
  • What actually is an SBOM?
  • Why do we need one?
  • How do we do it?”

We echo Bill’s sentiments on securing a software supply chain by using JFrog’s X-Ray to handle SBOMs professionally and at scale.

CHECK OUT OUR “BOOTLEG” RECORDING OF BILL’S SWAMPUP SESSION AT THE END OF THIS ARTICLE!

Dear Bill — Congrats from your friends at SJULTRA on winning this SwampUp award!

 

bill manning swampup 2023

Table of Contents

SJULTRA Jfrog outcomes

The Costly Risks of Unknown "Ingredients"

Bill kicked off his presentation with a powerful truth:

“Failure to understand and manage your software ‘ingredients’ can have devastating consequences, both financial and reputational.”

“Just look at the 2020 SolarWinds supply chain attack that impacted 18,000 organizations and cost billions in remediation.” 

“It’s much harder to gain your reputation back than financial losses if your data is breached.” 

"I'm an IT leader. Do we really need yet another tool for managing open source components? What do I need to know about software bills of materials or SBOMs? Why should they be a priority for my organization?"

It’s a common question for us at SJULTRA, talking with IT decision-makers who are juggling multiple security tools and priorities — they can be hesitant to adopt SBOMs. 

“Urgh, another  unnecessary cost and complexity for a problem already being managed.” But is it? 

SBOMs are becoming a compliance requirement across industries like government and healthcare.

Solutions like JFrog X-Ray consolidate SBOM lifecycle management along with other open source governance capabilities like vulnerability tracking and license compliance into one unified platform. 

SBOMs are an essential part of risk management, which is an executive responsibility. This is because they help resolve incidents faster, and provide documentation for risk audits.

SBOMs: The New Cybersecurity Mandate

It’s no wonder the White House signed an executive order in 2021 making SBOMs a requirement for software purchased by the government. From medical devices to automobiles, software bills of materials are rapidly becoming essential for gaining accountability over third-party code. 

The realizations came after the FDA pushed for SBOM adoption in 2018 out of concerns that compromised medical device software could cost lives. 

SJULTRA FDA push for SBOMs

Again, Bill nails it: “Medical devices, software, can kill people…if somebody dies by a medical device, we need to know what’s inside, why, and how.” 

"I'm a security pro, I'm concerned about introducing vulnerabilities or sharing proprietary information. How do SBOMs actually help mitigate those risks?"

A security-conscious person may have concerns about the extent of IP and technical data included in an SBOM regarding application internals. 

Bill’s answer is: “SBOMs only list the third-party and open source components used, not proprietary source code, algorithms or other IP.

“An SBOM is akin to listing ingredients on a food package – just because you know the ingredients doesn’t mean you have the full recipe.”

What's actually in an SBOM?

So what exactly goes into a software bill of materials? In Bill’s cake analogy, it’s simply “a list of ingredients that were used to produce this cake.”

For software, those ingredients are the open source libraries and proprietary third-party components incorporated into your applications. 

sbom format

SBOMs list all the open source and third-party components in your applications. When new vulnerabilities are disclosed, you can quickly identify if you’re impacted based on the versions listed in your SBOM. It allows you to be proactive rather than scrambling in response. It means you know if you are at risk or not without panicking in the dark. 

There are two main SBOM formats: 

SPDX – System Package Data Exchange

Originally designed for open source analysis by engineering teams to track components.

An open standard capable of representing systems with software components in as SBOMs (Software Bill of Materials) and other AI, data and security references supporting a range of risk management use cases.

The SPDX specification is a freely available international open standard (ISO/IEC 5692:2021).

Learn more about SPDX on the official spdx.dev.

CycloneDX

CycloneDX is designed to provide advanced supply chain capabilities for cyber risk reduction.

Compatible with over 200 tools across 20+ programming languages, CycloneDX is trusted by Lockheed Martin, ServiceNow, IBM, Contrast Security, Sonatype, and many others.

Optimized for vulnerability management by security teams. 

Learn more about CycloneDX on the official website.

"I'm a developer. This sounds like just another way for security to get in the way of my productivity by introducing more controls. Will SBOMs break my developer workflow?"

Addressing SBOM Concerns

We understand the concern about introducing new tools potentially disrupting workflows.

However, implementing Software Bill of Materials (SBOMs) with JFrog X-Ray can actually streamline and secure your development process without significant interruption.

Here’s how:

1. Automated Vulnerability Scanning: JFrog X-Ray automates the scanning of components for vulnerabilities and licenses. This means that once it’s set up, it runs in the background, requiring minimal intervention from developers.

2. Integration with Existing Workflows: JFrog X-Ray integrates with your existing CI/CD pipelines. It’s designed to work seamlessly with tools developers are already using, so there’s no need to change the way you work.

3. Early Detection: By detecting issues early in the development cycle, SBOMs and JFrog X-Ray help prevent the costly and time-consuming process of addressing security issues after deployment.

4. Compliance and Transparency: SBOMs provide transparency into your software components, making it easier to comply with regulatory requirements and to respond quickly to any vulnerabilities that are discovered in open-source components you may be using.

5. Developer Empowerment: Rather than hindering productivity, these tools empower developers by automating security checks, allowing them to focus on coding rather than manual security reviews.

6. Continuous Security: Security is a continuous requirement, not a one-time check. JFrog X-Ray provides continuous monitoring, ensuring that any new threats are identified and addressed promptly.

SBOMs and JFrog X-Ray are often championed by senior developers and enginers because they are a vital part of a modern, secure development lifecycle.

Cynics everywhere: "SBOMs seem complicated and this all sounds like vendor hype around a big buzzword!"

Some may dismiss SBOMs as the latest security buzzword being hyped up by vendors looking to sell new tools and services. Others might think they are just another tool and no more important than others. 

Hard facts: high-profile supply chain attacks like SolarWinds, the 2021 government executive order mandating SBOMs, and industry-wide adoption across sectors like automotive, healthcare and more. Use real-world examples of SBOM requirements in contracts, compliance audits, etc. to underscore credibility. 

"But don't SBOMs just expose my intellectual property by listing everything I'm using? As a developer, I have objections to that."

SBOMs absolutely do not disclose your source code or IP. It’s just a list of externally sourced ingredients, not your recipe for putting them together, so to speak. 

Bill Manning: “I had an experience where a company was acquiring us and made their purchase contingent on removing certain open source components after reviewing our SBOM. They didn’t need our proprietary code to identify that risk.” 

Why SBOMs Are a Must-Have

SBOMs have diverse applications beyond just security, as Bill Manning illustrates: 

“It’s a way to maintain and manage licensing. Legal teams want to go through this – does your software meet their standards for allowed licenses in their corporation? I had an acquisition deal contingent on us removing certain open source components before they’d purchase!” 

SBOMs can aid compliance efforts, license audits, and even contract negotiations by providing transparency into your software makeup across the entire software supply chain. Bi

Simplifying SBOM Adoption with the Right Tools

Manually generating and managing SBOMs is impractical for enterprise software delivery.

How can organizations efficiently generate and manage SBOMs at scale across all their applications?

Bill Manning: “This is where solutions like JFrog’s X-Ray come in. It automatically generates SBOMs in both standard formats and integrates them into your DevOps pipeline and artifact repository. From one central place, you can view the SBOM for any Docker image, libraries used, and even export reports for an external party like a customer or regulator.” 

jfrog xray screenshot

“Software building materials don’t have to be scary if you have the right tooling baked in. With X-Ray, we make SBOM adoption easy while giving you full transparency and control.”

“X-Ray automatically generates SBOMs in both standard formats and integrates them into your DevOps pipeline,” Manning said. “From one central place, you can view the SBOM for any Docker image, libraries used, and export reports for an external party.” 

With X-Ray, development teams don’t have to radically change processes. SBOM generation and analysis happens seamlessly as part of the standard CI/CD workflow. 

“Software materials don’t have to be scary if you have the right tooling baked in,” Manning reassures. “With X-Ray, we make SBOM adoption easy while giving you full transparency and control.” 

The JFrog X-Ray SBOM Report

Xray has introduced the capability to generate a Software Bills of Materials (SBOM) report that will enable DevSecOps engineers to understand and analyze the dependencies of their components.

SBOM is a readable inventory of software components and dependencies. The report will include SBOM data of your components, including unidentified components and open-source software

This report enables you to:

  • Understand components and code dependencies.

  • Gain visibility into open-source licenses for the components in use.

  • Be aware of the end-of-life of components, and which components need to be updated.

  • Identify vulnerable components or recently identified vulnerabilities.

  • Enforce organizational compliance and policies.

Learn more about the X-Ray SBOM Report over at JFrog.

Don't Let Your Next "Ingredient" Be a Security Disaster

The time to focus on software supply chain security and prioritize software bills of materials is now, before your organization’s next untracked open source component turns into a massive security breach or compliance failure. 

Get the visibility you need into your software supply chain by evaluating SBOM solutions like X-Ray today. Your customers, partners, and regulators will appreciate the transparency – and your business will avoid costly incidents.

As experienced JFrog partners, we help enterprise clients including large financials, to optimize their software supply chain with JFrog.

One way we help clients is add some security bandwidth and expertise to their team with our Managed JFROG Software Supply Chain Security.

If clients need more than just a secure software lifecycle and they also use our Managed Security Provider bundle.

Ask us anything about the JFrog security products including X-Ray and Artifactory.

Bill Manning's JFrog SwampUp 2023 session on SBOMs and X-Ray

Recorded by us as we knew this would be a great session and we weren’t 100% sure it would end up on the official JFrog playlist — and Bill didn’t disappoint!