Thanks to President Biden’s Executive Order on Cybersecurity (14028) last May, Software Bills of Material (SBOMs) are now discussed by developers, security and deployment teams and even boards of businesses around the world.
These “ingredients” lists for software are mandated for those selling to US Federal government and are quickly becoming an expected element of any software implementation. Rightly so. At the same time the US National Telecom and Information Administration (NTIA) and National Institute of Standards and Technology (NIST) have published frameworks and guidance to make SBOMs a reality.
Bytesafe Software Composition Analysis & SBOM generation provide an easy way to identify software assets and track open source risk for your applications directly in your Git repositories.
But what about distribution of the SBOM after it’s been created? Our friends at RKVST have you covered. Read on to learn more.
There’s no point to a secret SBOM!
But, even the best SBOM has no value to users if it remains secret. Sharing SBOMs is a fundamental aspect of improving cybersecurity which has, until now, been largely overlooked.
A typical organisation will have hundreds of pieces of software, potentially including code from thousands of different sources. Some will be commercially licensed, others created in house and a significant proportion utilising open-source software. Where do you go to find all the SBOMs to cover all the software you use? Simply hunting down those responsible for managing code and finding the right SBOM for the right version of the product could become a full-time role. And no one wants to hire an SBOM department!
As a software publisher there are also challenges in sharing SBOMs. How do you let everyone know where the correct, up-to-date SBOM is for freely available open source code? What if your software is licensed and covered by commercial agreements or responsible disclosure needs that protect your customers’ operations? How can you ensure that the correct SBOMs share the right information only with those that have the right permissions to see it?
Find and Fetch the SBOMs You Need
RKVST is a zero-trust fabric that allows permissioned parties to prove who did what when to any asset and thereby combine security, transparency and immutability to deliver trust. We’ve used this fabric to create the RKVST SBOM Hub, so that all parties can find and fetch the SBOMs they need, when they need them.
RKVST SBOM Hub is a single place where both publishers and consumers can go for public SBOMs and a place to signpost privately exchanged SBOMs too. We focus on making SBOMs available and discoverable all in one place, so unlike many repositories which are single-format we include SBOMs in CycloneDX, SPDX and SWID.
Users can quickly search for a specific SBOM, or for SBOMs that match key criteria and find it in whichever format it exists. We’ll scan repos so that you don’t have to.
But RKVST SBOM Hub is much more than a “Google for SBOMs”. Vendors are already starting to juggle multiple tools and repositories to support the assembly of SBOMs, using separate development environment stores and production repos for publication. The opportunities for errors are clear to see. With SBOM Hub it’s a repository and index in one, and it provides publishers with privacy controls that help them manage their SBOMs as they build, publish, distribute and maintain them. And for consumers it picks out the fundamental metadata required to assess conformance to the NTIA minimum elements and the NIST Foundational requirements.
Permissioned sharing for controlled and responsible disclosure
We provide a secure area that developers can stage SBOMs in private against a convenient version history. Once the SBOM is complete and the associated software product released, owners have a simple choice: they can keep it private or publish the SBOM making it discoverable by anyone in the RKVST SBOM Hub. This route is most suited to SBOMs that detail the provenance of open-source code freely available for use and integration by others.
But what if the product is proprietary or licensed commercially? Or perhaps the software is embedded in industrial equipment with very long update cycles and little opportunity for patching downtime? Neither publisher nor consumer will want to reveal SBOM contents and vulnerabilities in a publicly shared SBOM. But if access is gated how do consumers know that the SBOM exists, and where to find it?
As a publisher, how can you show compliance (and demonstrate industry best practice) without revealing commercial secrets?
Enter the RefBOM
With RKVST we are pioneering the use of RefBOMs to solve this issue. Quite simply, a RefBOM is a signpost to a private SBOM. It demonstrates the existence and provides a route to accessing an SBOM which is only to be shared with specific parties with right credentials and permissions.
Developers and software publishers can easily create a RefBOM that testifies to the existence of an SBOM for a specific piece of software and share it in the RKVST SBOM Hub. Anyone looking for an SBOM for that specific software can search and find the RefBOM and then follow clear steps (a simple hyperlink!) to get access if appropriate.
The first place to share SBOMs
Secure and precise sharing and discovery are essential to the effectiveness of SBOMs and compliance with the Executive Order. RKVST SBOM Hub solves both sides of the challenge to SBOM sharing. Publishers have a powerful, flexible repository where they can store now and choose later how to distribute their SBOMs. And consumers have a single destination to find the SBOMs they need, whether in public or private.
With thousands of SBOMs already included in RKVST SBOM Hub, it should immediately become the first place for anyone needing to share SBOMs.
Want to start sharing your SBOMs? Visit our friends at RKVST.