Enhancing Transparency, Security, and Compliance in Your Software Projects
Do you know about SBOMs?
In the mail 📧
One Tech idea 💥: SBOM
One question for you
Read time: 4 minutes.
A software bill of materials (SBOM) is an inventory of all components and dependencies involved in the development and delivery of an application.
That doesn’t explain much, does it?
Before diving into the What, let me tell you the Why (we need it)
Let’s imagine this: You’re running a Pizza company. You would want to track all the raw materials in case they cause health issues or the FDA says so. At the top level, we have the dough, tomato sauce, cheese, and meat. If you dig one level deeper, we must find the source of flour, tomatoes, milk to level grains, farm, and dairy barns.
We can track as far as the cattle and its feed. We can track information such as date of sourcing, kind of breed, weight, etc.,
As a pizza company, having this information handy saves a ton of time in mitigating customer issues rather than waiting until a huge issue blows up.
Does it ring a bell? Kinda?
If you think about it, a software company is not far from a pizza company in this aspect. In software, we follow the DRY principle, like our life source. When there is a library or package available, why write from scratch? This comes with its pros and cons.
Pros - Productivity, Tested code
Cons - Adopting vulnerabilities
Let’s read The What one more time.
A software bill of materials (SBOM) is an inventory of all constituent components and software dependencies involved in the development and delivery of an application.
Next time a customer raises a security issue, a memory leak, or an issue raised during a software audit, you know exactly which code is responsible.
The Software Package Data Exchange (SPDX) is the specification by the Linux Foundation to generate SBOMS for your projects.
SPDX can be used to describe several types of software components: packages, files, and code snippets. The specification tracks the name, copyright information, licensing information, and many others. SPDX can be created in many file formats: xlsx spreadsheets, YAML, JSON, RDF, XML
Do you have to generate it manually?
Automated tools and built system integration streamline SBOM generation and manual verification whenever necessary.
What is a good starting point?
Take stock of all your projects and their dependencies, research SBOM standards like CycloneDX, or stick to the ones that come with your cloud provider.
Make compliance a development practice rather than a chore before the audit.
Ensure the libraries you’re adopting are reliable and devoid of any vulnerabilities.
SBOM has a vulnerability - What now?
There are two kinds of Vulnerabilities - The ones that have a fix released and the ones without a fix. Often, security patches have little to no API changes. For the ones with a fix, update them immediately.
The ones without, keep an eye for fixes to adopt them whenever available
Where can I learn more about this?
A lot of what I’ve learned came from the Awesome-SBOM repo
One question for you…
Have you ever made your project ready for compliance and security audit?
Share your experience.