A Software Bill of Materials is no longer just a “good-to-have” documentation for organizations. It is now a “must-have” for a wide range of reasons. Aside from the fact that federal regulations have made disclosing the components of your software compulsory, software companies have now realized that listing all the open-source and commercial dependencies used in your application is a beneficial cybersecurity practice.
Interestingly, despite recognizing the need for an SBOM, creating it can still be quite challenging. That’s because the process of creating the Software Bill of Materials for a product can be complex, tedious, and time-consuming. Also, since regulatory authorities recommend generating a precise and accurate SBOM for every iteration of your product, implementing it manually each time is quite resource-intensive if not completely impractical.
When it comes to implementing comprehensive SBOMs, going the automation route is always recommended. Every software is a complicated package made up of multiple dependencies that most likely have their own dependencies too. This means that even the simplest software may have hundreds or even thousands of dependencies. It will take a lot of work to compile all of these and keep them organized manually. This article explains why automation is necessary for implementing SBOMs and how to implement automation to mitigate the stress that comes with generating SBOMs manually.
Why Automating the SBOM Process Is Important
A Software Bill of Materials is simply a list of the components of a software product (similar to a list of ingredients on an edible product). Generally speaking, all you need to create a Software Bill of Materials is a spreadsheet that lists these components. However, this is an oversimplification that is hardly ever practical. An SBOM is an exhaustive list with a precise set of the required information. Trying to process this list manually will obviously be time-consuming and complicated.
Manual SBOMs simply can’t cut it, which is why automation is vital in implementing and ingesting SBOMs. Apart from the difficulty of implementing manual SBOMs, there are also risks involved in creating SBOMs manually—not to mention the compliance issues. The following are some of the reasons why SBOMs are best created with an automated system that collects and compiles a comprehensive list of software and stores them in a repository that’s human-readable and easy to query.
Cyber Supply Chain Threats
The main goal of generating a comprehensive SBOM is to better understand software components and analyze possible vulnerabilities. This has become an important cybersecurity measure to mitigate threats for every software product. An automated SBOM makes the process of doing this more seamless. Not only is an automated Software Bill of Materials more secure (thanks to cryptographic signing and automated component verification), but automation also ensures components are continuously scanned throughout the integration and deployment pipeline of a software iteration.
Automating SBOM implementation means you rely on advanced tools that work at machine speed to generate your Software Bill of Materials. This saves you time in more ways than one. First, generating an SBOM this way is faster than manually trying to identify individual components and including them in a spreadsheet.
Automating SBOMs also makes detecting vulnerabilities easier and faster. With manually compiled SBOMs, identifying the possible locations of vulnerabilities is a painfully long process.
Updates are also faster with SBOMs. Automated systems run frequent checks on your SBOM to identify vulnerabilities based on newly updated dependencies. This way, you can mitigate risks faster and invest your time and resources on other important tasks instead of wasting time on creating SBOMs or querying them manually.
NIST and Federal Requirements
In addition to being beneficial, automating SBOMs also carries regulatory importance. Federal requirements on SBOMs, such as the Cyber Supply Chain Management and Transparency Act of 2014, stipulate that automatic solutions and tools should be used to generate SBOMs.
Similarly, in July 2021, the National Telecommunication and Information Administration (NTIA) published federally-approved guidelines that detail the minimum elements which must be included for every SBOM. Automation support was listed in this documentation as one of the vital elements of every SBOM.
According to the NTIA, the Software Bill of Materials must be human and machine-readable and capable of automatic generation. Implementing an automated SBOM makes it easier to track data included in the document.
Spreadsheets Are Inefficient and Error-Prone
As noted earlier, every software package has hundreds of dependencies. This means there are thousands of data points to cover in a typical Software Bill of Materials. Spreadsheets are simply ill-equipped to manage this volume of data. Entering all these data points manually opens the door to human errors that can have serious consequences if they’re not caught on time. You’re more likely to generate an accurate and comprehensive SBOM when you go for an automated system instead.
One major benefit of automating the SBOM generation process is that it helps to maintain consistency throughout the CI/CD pipeline of the different iterations of a software product. This includes all changes made to a product while it is being built and even after it has been released.
An SBOM is not static. As a product evolves, revisions are made to its Software Bill of Materials to capture every new dependency added. These changes must be communicated to all users and other stakeholders both internally and across the supply chain of the software. It is important that every stakeholder has access to the latest version of an SBOM as well as all previous versions of the software.
With a manually-prepared SBOM, maintaining consistency and version control is difficult, and this can lead to clashes and other problems. An automated SBOM makes sure changes made are consistent, and it is easier to see when and how these changes were made. This is difficult to achieve with a manual system.
Ways to Automate Software Bills of Materials
Regulatory standards such as the NTIA’s minimum requirements for SBOM stipulate specific formats for the Software Bill of Materials. These standards include Software Package Data Exchange (SPDX) and CycloneDX. Software security teams should know that the very nature of these standards already implies that SBOMs are meant to be automated.
Thus, every software security team should ensure the generation and usage of SBOMs by adding an automated step to be executed at a strategic point within their development pipeline to generate the SBOM. This could be an open-source tool for investigating software components after the build is completed or an SCA tool that is integrated within the continuous development pipeline of the software. The different methods of automating Software Bill of Materials are highlighted below.
Use an open-source tool
One of the cheapest ways to create a Software Bill of Materials is to use an open-source tool. They’re practically free, but they only offer rudimentary features. There are several open-source tools that automate the SBOM implementation process. However, reports generated by most of these tools are only generated in two formats; CycloneDX and SPDX.
A good example of an open-source SBOM automation tool is Microsoft’s SBOM generator. This general-purpose build-time generator is built to help enterprises generate SBOMs for their software packages. The tool offers cross-platform support and generates SBOMs in the standard Software Package Data Exchange (SPDX) format.
Microsoft’s SBOM generator can be integrated into software packages built with NPM, PyPI, Maven, Rust Crates, Ruby Gems, Linux, and NuGet frameworks to generate the list of dependencies and components. It can also be integrated with GitHub public repositories.
The tool outputs general information about the SBOM documentation as specified in the SBOM minimum requirements. It also lists all the files and packages along with the relationships between them.
Use a plugin tool
Another approach for auto-generating SBOMs is to do so within your continuous integration and continuous deployment pipeline (DevOps pipeline). You can do this using a Maven plugin that integrates within the build stage of your workflow. This approach is a scalable and convenient way to automate the process of generating the Software Bill of Materials right within the pipeline.
You’ll find this to be a lot easier since you’re doing so within the built environment of your project. You just have to pass a few arguments to auto-generate the SBOM. For the Maven plugin, the SBOM is generated in Cyclone DX format.
The Maven plugin can generate a comprehensive SBOM that details all the dependencies within your project. To do this, you should start by configuring the pom.xml file before you run the “mvn verify” command to generate the SBOM files. A bom.json file is generated first before the SBOM file.
The Maven plugin comes with an inbuilt SCA tool that audits the SBOM files generated for dependencies. Once the file has been audited, you can run the SCA tool a second time to generate the Software Bill of Materials again.
One example of such a plugin tool is the Scribe platform, which enables software producers to automatically generate SBOMs. It goes beyond SBOM generation and helps users manage and also share their SBOMs, validate integrity, and track vulnerabilities of their containers, dependencies, and pipelines. Here’s a simple overview of how Scribe works for automating SBOM creation:
- Step 1: Register and log in (for free) on Scribe Hub. Users register and setup their projects using this web interface. A separate evidence collector, which runs on MACs and Linux devices, generates the SBOM itself.
- Step 2: Integrate Scribe with your Continuous Integration Pipeline. Adding code snippets from the Scribe Hub to your continuous integration pipeline and/or your final build image will accomplish this.
- Step 3: Generate and export the Software Bill of Materials. A Software Bill of Materials is generated using the Scribe gensbom CLI tool. The SBOM generated can be exported in CycloneDX JSON format.
Use a composition analysis (SCA) tool
A third approach for generating SBOMs for your software product automatically is by using a third-party software composition analysis tool. An SCA tool analyzes your product to identify third-party components and licenses within the software. The tool assesses the legitimacy of the code as well as compliance with license requirements.
SCAs scan through the source code, binary files, container images, and manifest files of a piece of software in order to determine its composition and list all the open-source components included in the software. As part of the SBOM, an SCA will also run these components against various databases to extract their security information, licenses, and known vulnerabilities.
A software composition analysis tool automates and speeds up the process of creating SBOMs. The tool is designed to scan through thousands of data points within a short time in order to compile a Software Bill of Materials for your product. SCA tools help you secure your DevOps pipeline by providing complete oversight over the components of a software package and the provenance of these components.
Although some companies only generate SBOMs because it has been made mandatory by regulatory requirements, the practice has proven itself as a necessity as far as mitigating software supply chain threats is concerned. Automating the process is even more important as it helps reduce the tedious, time-consuming work of manually compiling SBOMs. SBOM automation, as highlighted in each of the techniques covered in this article, can speed up the SBOM creation process and also make it more accurate and reliable. A plugin tool like Scribe makes it possible to automate SBOM creation right within the development pipeline of your software. Check out our blog and other resources to see how Scribe works for automating SBOM generation and how you can leverage it.