Managing the Lifecycle of Your Software Bills of Materials (SBOMs)

Dmitry Raidman’s foray into SBOM management started with a vulnerable baby monitor when he was a new father in 2015. An SBOM – Software Bill of Materials – is like an ingredient list of all the pieces of code that go into an embedded application, he explains. With hundreds to thousands of SBOMs applied to each software product, he founded Cybeats and built the SBOM Studio. More than just a repository, SBOM studio automates and orchestrates SBOM management and visualization across a large variety of SBOM types to provide lifetime management of SBOM information, and greatly enhance visibility in the software supply chain. He explains the many types of SBOMs, starting with a design SBOM to understand if you’re bringing reputable sources of code into the application before development starts. He points to the repository SBOM, the build SBOM, the binary SBOM, the runtime SBOM and more. An SBOM repository must handle any type of SBOM, he adds, regardless of competing standards. “There are different companies generating different SBOMs, but you want a company that really does it well by actually identifying every single component properly,” he explains. “A quality SBOM can provide analytics around the SBOMs to add value for product builders and customers.” In this show, he also demonstrates how builders and buyers can use SBOM Studio to generate a SBOM from an open-source application using CodeSecure’s CodeSentry binary composition analysis. This is the result of a partnership between CodeSecure and Cybeats announced in October. In the demonstration, the O/S, version, format, license warnings, and other meta data are analyzed against a data lake of known vulnerability and supply chain intelligence data. It is then further narrowed down to actionable vulnerabilities through application of the Known Exploitable Vulnerabilities (KEV) catalog and other information sources to prioritize and analyze “breachability,” as he says.