SOFTWARE BILL OF MATERIALS
Get Software Supply Chain Accountability with an SBOM
Add an extra layer of security to your IT and OT environment by deeply analyzing all software for vulnerabilities.
A Software Bill of Materials (SBOM) provides a list of components a piece of software contains. It tells users if the software is safe to include in their environment, and it holds third-party suppliers accountable for the quality and security of their product.
SBOM solutions identify the following types of risk in a piece of software:
- Vulnerability - How many, the severity, and the types of vulnerabilities
- Dependency - What dependencies, components, and subcomponents are risky or vulnerable within the software
- Integrity - If it is the officially supported software or if it has been tampered with
- Malware - The presence of known malware
- Foreign Presence - What ownership or contributions from non-U.S. developers are in the software
- License - Does the component license allow it to be used in a commercial product, do modifications need to be released publically
The Benefits of Having an SBOM
When you work with Fortress for your software bill of materials needs, you get:
- Clear and transparent analysis results, including an easy-to-understand summary for busy executives and security engineers
- Insight and understanding of the vulnerabilities in the SBOM and the ability to prioritize remediations and mitigations
- Easy and efficient way to request SBOMs from software vendors so you can get a full picture of your environment’s risk
- Ability to streamline your requests and interactions with internal tech teams who own assets and products, as well as the external relationships with suppliers to drive remediation efforts brought up by SBOM analysis results
Fortress Software Bill of Materials Process
Create SBOMs from binary or available source code to answer questions such as provenance, foreign adversary control and influence (FOCI), component obsolescence, vulnerabilities and compliance.
A secure mechanism for sharing, combined with intuitive administration of permissions, removes friction from SBOM & VEX requests
CONSUME & TRANSFORM
Normalize and consume supplier provided SBOMs and validate the documents are well formatted and suitable for machine reading.
Identify vulnerabilities such as outdated components and transitive dependencies, malware and indicators of compromise, component integrity and authenticity, and FOCI
How NAESAD Secures the Nation’s Energy Supply Chain
The North American Energy Software Assurance Database (NAESAD) was created to help the nation’s energy providers understand cyber risks and how to best mitigate them. To do this, Fortress partnered with the nation’s top five utility companies and software providers to create a comprehensive SBOM library for common vendors and products.Our goal is to level the playing field and fight back against cyber attackers and adversaries. Learn more about how you can join NAESAD.
The Fortress SBOM Difference
Fortress can generate SBOMs and give you results like other providers, but we go further with capabilities that dig deeper into the data.
What is a VEX?
A VEX document is a machine-readable advisory that details which vulnerabilities in a software package are exploitable and consequently what assets are high-risk and a cause for concern in software products. It helps you quickly understand which software packages are vulnerable to exploitation so you can prioritize those mitigations.
How should I use SBOMs?
SBOMs are a new tool in your security management toolbox — they are most effective when they are analyzed and incorporated into your security program as a preventative measure, as well as on an ongoing basis for monitoring supply chain risk.
How can I be sure I have the most up-to-date SBOM?
Software is constantly changing — with the emergence of continuous integration and continuous delivery, it’s even more difficult to stay on top of new versions. Fortress monitors for new SBOM versions and will automatically note the differences and provide you with a summary of changes and whether they are a cause for concern.
Why do I need an SBOM?
With the passage of Executive Order 14028, we’re beginning to see a rise in requests for SBOMs from asset owners, especially in the government and utility sectors. These buyers want transparency into the software supporting their operations and to understand the risks of the components running in their environment. Requesting an SBOM in the RFP process increases trust in a supplier’s software and holds them accountable while protecting your most valuable assets.