Smarter Than Your Average SBOM! A Talk by Matt Jarvis & Andrew Martin
In Kubernetes Community Day UK 2023 Snyk, Director Matt Jarvis and ControlPlane CEO Andrew Martin teamed up and deeply delved into the Software Bill of Materials (SBOMs) world. While this might seem like the new trendy topic in the security community, many are still unsure about how to utilise them effectively. This blog post provides a comprehensive overview of the key points covered in the talk “Smarter than your average SBOM!” explaining what SBOMs are, their importance, and best practices for managing them.
What Is an SBOM?
For those new to the term, an SBOM stands for Software Bill of Materials. Essentially, it’s a detailed list of components that comprise a piece of software, akin to how ingredients are listed on food packaging. Matt and Andrew humorously describe it as “just a bunch of JSON,”.
Why Are SBOMs Important?
SBOMs stand out because they offer a standardised, machine-readable way of distributing and sharing information about software components. This makes them invaluable for:
- Developers: Understanding the dependency tree of software.
- Security Teams: Having a library to analyse when vulnerabilities (like CVEs) emerge.
Key Considerations for Effective SBOMs
For SBOMs to be effective, a few key considerations must be considered.
Creation and Timing
SBOMs are snapshots that capture the state of software at a specific time. Generating these snapshots during the development, packaging, and distribution cycles is crucial to ensure accuracy. Automation through the build system is generally recommended.
Trust and Verification
Trust is foundational for SBOMs. It’s essential to:
- Verify the authenticity of the producer.
- Ensure no unauthorised modifications have been made.
- Use cryptographic signatures to guarantee the integrity of the SBOM.
Ensuring Quality in SBOMs
Not all SBOMs are created equal. Quality tools like eBay’s SBOM Scorecard and Interlink’s SBOM QS assess SBOMs based on various criteria, including full package URLs and license information. These tools reflect user priorities and help guide the development of better SBOMs.
Enriching SBOMs
Basic SBOMs might lack certain details, but they can be enriched with additional data from various sources. Tools like Parlay from Snyk can add detailed information about components, including security scoring and vulnerability data.
Conclusion
SBOMs are quickly becoming a critical component in managing supply chain security. Organisations can significantly enhance their security posture by understanding the required creation, management, and trust mechanisms. Watch the full link on our YouTube channel for a more detailed exploration of these concepts. Join Matt Jarvis and Andrew Martin as they uncover the intricacies of the SBOM lifecycle, from creation to enrichment and everything in between.