Skip to content
Speak with an Expert

SOFTWARE BILL OF MATERIALS

How SBOMs Hold Your Software Supply Chains Accountable

 


Add an extra layer of security to your IT and OT environment by deeply analyzing all software for vulnerabilities.

A Software Bill of Materials (SBOM) provides a list of components a piece of software contains. It tells users if the software is safe to include in their environment, and it holds third-party suppliers accountable for the quality and security of their product. 

SBOM solutions identify the following types of risk in a piece of software:

  • Vulnerability - How many, the severity, and the types of vulnerabilities 
  • Dependency - What dependencies, components, and subcomponents are risky or vulnerable within the software
  • Integrity - If it is the officially supported software or if it has been tampered with
  • Malware - The presence of known malware
  • Foreign Presence - What ownership or contributions from non-U.S. developers are in the software
  • License - Does the component license allow it to be used in a commercial product, do modifications need to be released publically

The Benefits of Having an SBOM

When you work with Fortress for your software bill of materials needs, you get:

  • Clear and transparent analysis results, including an easy-to-understand summary for busy executives and security engineers
  • Insight and understanding of the vulnerabilities in the SBOM and the ability to prioritize remediations and mitigations
  • Easy and efficient way to request SBOMs from software vendors so you can get a full picture of your environment’s risk 
  • Ability to streamline your requests and interactions with internal tech teams who own assets and products, as well as the external relationships with suppliers to drive remediation efforts brought up by SBOM analysis results

Fortress Software Bill of Materials Process


PRODUCE

Create SBOMs from binary or available source code to answer questions such as provenance, foreign adversary control and influence (FOCI), component obsolescence, vulnerabilities and compliance.


SHARE

A secure mechanism for sharing, combined with intuitive administration of permissions, removes friction from SBOM & VEX requests


CONSUME & TRANSFORM

Normalize and consume  supplier provided SBOMs and validate the documents are well formatted and suitable for machine reading.


ANALYZE

Identify vulnerabilities such as outdated components and transitive dependencies, malware and indicators of compromise, component integrity and authenticity, and FOCI

The Fortress SBOM Difference

Fortress can generate SBOMs and give you results like other providers, but we go further with capabilities that dig deeper into the data.

VEX Data

VEX (Vulnerability Exploitability) data and advanced searches within SBOMs

Code Origin

Insight into the origin of code contributions

Code Change Analysis

Detailed analysis of code changes from one release to another

SBOM Database

Database of thousands of publicly available SBOMs

Link Assets

Tie vulnerable software to assets in your environment

Complete SBOM Lifecycle Support

Support throughout SBOM lifecycle — from the fundamentals to detailed specifics

SBOM FAQs

What is a VEX?

A VEX document is a machine-readable advisory that details which vulnerabilities in a software package are exploitable and consequently what assets are high-risk and a cause for concern in software products. It helps you quickly understand which software packages are vulnerable to exploitation so you can prioritize those mitigations.

How should I use SBOMs?

SBOMs are a new tool in your security management toolbox — they are most effective when they are analyzed and incorporated into your security program as a preventative measure, as well as on an ongoing basis for monitoring supply chain risk.

How can I be sure I have the most up-to-date SBOM?

Software is constantly changing — with the emergence of continuous integration and continuous delivery, it’s even more difficult to stay on top of new versions. Fortress monitors for new SBOM versions and will automatically note the differences and provide you with a summary of changes and whether they are a cause for concern.

Why do I need an SBOM?

With the passage of Executive Order 14028, we’re beginning to see a rise in requests for SBOMs from asset owners, especially in the government and utility sectors. These buyers want transparency into the software supporting their operations and to understand the risks of the components running in their environment. Requesting an SBOM in the RFP process increases trust in a supplier’s software and holds them accountable while protecting your most valuable assets.

Ready to learn more? Still have questions?