How can SBOM help your tech organization prevent cyber-attacks?

Target Audience - Technical Managers / Architects / Product Managers / Cybersecurity Enthusiasts

Time to Read: 5 minutes

Today, we do developer software which cannot run without 3rd party’s support. Be it in the form of open-source frameworks, 3rd party libraries, NuGet packages or hosting.

While we can be sure about code written on our own turf and keep making it robust, recent cyberattacks have highlighted that entry points were the code dependencies.

If your organization is using 3rd party components (even from NuGet) and you are not tracking them, consider your project vulnerable.

Apart from being safe, Software Bills Of Material (let’s call it SBoM now) help companies to meet new cybersecurity laws. Mind you, SBoM is mandatory in the US.

What is SBOM?

An SBOM is a machine-readable list of all the open-source and third-party components present in the code base. It also lists the licenses, version and patch status. There is not a standard format for SBoM but you get the drift now.

SBoM helps security teams quickly identify any security or license risks.

Tools to generate SBOM

• Syft by Anchore
• CycloneDX
• Microsoft.Sbom.Tool
• Kubernetes Bom

Format of SBOM

Typically there are three types of output formats:-

Basic Table format

NAME? ? ? ? ? ? ? ? ? ? VERSION? ? ? TYPE?
alpine-baselayout ? ? ? 3.2.0-r18? ? apk???
alpine-keys ? ? ? ? ? ? 2.4-r1 ? ? ? apk???
apk-tools ? ? ? ? ? ? ? 2.12.7-r3? ? apk???
busybox ? ? ? ? ? ? ? ? 1.34.1-r3? ? apk???
ca-certificates-bundle? 20191127-r7? apk???
libc-utils? ? ? ? ? ? ? 0.7.2-r3 ? ? apk???
libcrypto1.1? ? ? ? ? ? 1.1.1l-r7? ? apk???
libretls? ? ? ? ? ? ? ? 3.3.4-r2 ? ? apk???
libssl1.1 ? ? ? ? ? ? ? 1.1.1l-r7? ? apk???
musl? ? ? ? ? ? ? ? ? ? 1.2.2-r7 ? ? apk???
musl-utils? ? ? ? ? ? ? 1.2.2-r7 ? ? apk???
scanelf ? ? ? ? ? ? ? ? 1.3.3-r0 ? ? apk???
ssl_client? ? ? ? ? ? ? 1.34.1-r3? ? apk???
zlib? ? ? ? ? ? ? ? ? ? 1.2.11-r3? ? ap        

CycloneDX format

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="https://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:fb2a4dac-b62b-4d78-b209-40bd09388022" version="1">
??<metadata>
????<timestamp>2022-04-11T22:01:51-04:00</timestamp>
????<tools>
??????<tool>
????????<vendor>anchore</vendor>
????????<name>syft</name>
????????<version>0.42.4</version>
??????</tool>
????</tools>
????<component bom-ref="27f24e002ab47c1b" type="container">
??????<name>alpine:latest</name>
??????<version>sha256:a3f8ca28888378e4880b3f73504c78278a9038dccf906760a1afd4a08c81c1c1</version>
????</component>
??</metadata>
??<components>
????<component type="library">
??????<publisher>Natanael Copa &lt;[email protected]&gt;</publisher>
??????<name>alpine-baselayout</name>
??????<version>3.2.0-r18</version>
??????<description>Alpine base dir structure and init scripts</description>
??????<licenses>
????????<license>
??????????<id>GPL-2.0-only</id>
????????</license>
??????</licenses>
??????<cpe>cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*</cpe>
??????<purl>pkg:alpine/[email protected]?arch=x86_64&amp;upstream=alpine-baselayout&amp;distro=alpine-3.15.0</purl>
??????<externalReferences>
????????<reference type="distribution">
??????????<url>https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout</url>
????????</reference>
??????</externalReferences>
??????<properties>
????????<property name="syft:package:foundBy">apkdb-cataloger</property>
????????<property name="syft:package:metadataType">ApkMetadata</property>
????????<property name="syft:package:type">apk</property>
????????<property name="syft:cpe23">cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*</property>
????????<property name="syft:location:0:layerID">sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759</property>
????????<property name="syft:location:0:path">/lib/apk/db/installed</property>
????????<property name="syft:metadata:gitCommitOfApkPort">dfa1379357a321e638feef1cd8d55ab03d020f45</property>
????????<property name="syft:metadata:installedSize">413696</property>
????????<property name="syft:metadata:originPackage">alpine-baselayout</property>
????????<property name="syft:metadata:pullChecksum">Q1EymS6rAgmGs7XYhqdyEoiWgEZ6A=</property>
????????<property name="syft:metadata:pullDependencies">/bin/sh so:libc.musl-x86_64.so.1</property>
????????<property name="syft:metadata:size">21101</property>
??????</properties>
????</component>
????<component type="operating-system">
??????<name>alpine</name>
??????<version>3.15.0</version>
??????<description>Alpine Linux v3.15</description>
??????<swid tagId="alpine" name="alpine" version="3.15.0"></swid>
??????<externalReferences>
????????<reference type="issue-tracker">
??????????<url>https://bugs.alpinelinux.org/</url>
????????</reference>
????????<reference type="website">
??????????<url>https://alpinelinux.org/</url>
????????</reference>
??????</externalReferences>
??????<properties>
????????<property name="syft:distro:id">alpine</property>
????????<property name="syft:distro:prettyName">Alpine Linux v3.15</property>
????????<property name="syft:distro:versionID">3.15.0</property>
??????</properties>
????</component>
??</components>
</bom>        

SPDX (Software package data exchange) format

{
?"SPDXID": "SPDXRef-DOCUMENT",
?"name": "alpine-latest",
?"spdxVersion": "SPDX-2.2",
?"creationInfo": {
??"created": "2022-04-12T01:47:03.011148Z",
??"creators": [
???"Organization: Anchore, Inc",
???"Tool: syft-0.42.4"
??],
??"licenseListVersion": "3.16"
?},
?"dataLicense": "CC0-1.0",
?"documentNamespace": "https://anchore.com/syft/image/alpine-latest-31e0e940-da83-4ea2-8a0c-fbba76371667",
?"packages": [
??{
???"SPDXID": "SPDXRef-8039c8621bcc1383",
???"name": "alpine-baselayout",
???"licenseConcluded": "GPL-2.0-only",
???"description": "Alpine base dir structure and init scripts",
???"downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
???"externalRefs": [
????{
?????"referenceCategory": "SECURITY",
?????"referenceLocator": "cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
?????"referenceType": "cpe23Type"
????},
????{
?????"referenceCategory": "PACKAGE_MANAGER",
?????"referenceLocator": "pkg:alpine/[email protected]?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.15.0",
?????"referenceType": "purl"
????}
???],
???"filesAnalyzed": false,
???"licenseDeclared": "GPL-2.0-only",
???"originator": "Person: Natanael Copa <[email protected]>",
???"sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
???"versionInfo": "3.2.0-r18"
??}
?],
?"files": [
??{
???"SPDXID": "SPDXRef-2eaa15c5fc625ebe",
???"comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
???"licenseConcluded": "NOASSERTION",
???"fileName": "/etc/crontabs/root"
??}
?],
?"relationships": [
??{
???"spdxElementId": "SPDXRef-8039c8621bcc1383",
???"relationshipType": "CONTAINS",
???"relatedSpdxElement": "SPDXRef-2eaa15c5fc625ebe"
??}
?]
}        

Why should we have SBOM?

Software transparency: SBOMs provide a list of parts used in the creation of software, such as open-source software, components, and packages.

Software integrity: While code signing is a gold standard for trusting software’s integrity, SBOMs contain file checksums to validate the hashes, which can be useful in scenarios when signatures aren’t present.

Software identity: When common vulnerabilities and exposures (CVEs) are created, they are assigned to a?Common Platform Enumeration (CPE)?identifier, which can have issues attributing a CPE to a specific piece of software. Software IDs within SBOMs provide a much more accurate way to identify software.

Want more insights?

You can refer to the following links to get more information.

SBOM to a 5-year-old - https://www.youtube.com/watch?v=6yljBKKl8Vo ?

CPE Database - https://nvd.nist.gov/products/cpe

SBOM Tools - https://www.youtube.com/playlist?list=PLnQkMtYa9UKcSjg96V37cFw2-uUxZfp9D

Tools - https://mergebase.com/best-tools-for-generating-sbom/

Hope you have enjoyed reading this article. If you have any comments, please feel free to put your views in the comment box.