Skip to content

FILE INTEGRITY ASSURANCE

Software Bill of Materials (SBOM)

A Method for Prioritization of Software Vulnerabilities


Establish the security and integrity of your cyber supply chain.

A Software Bill of Materials (SBOM) provides those who produce, purchase, and operate software with information that enhances their understanding of their the supply chain to enable multiple benefits, most notably a potential method for tracking known and newly emerged vulnerabilities and risks.

An effectively prepared and analyzed SBOM can be invaluable in addressing critical infrastructure cybersecurity challenges, but the sheer volume of documents and data they generate create their own set of challenges. Fortress provides a mechanism to automatically process and correlate elements of an SBOM to known risk attributes:

Vulnerabilities

SBOMs can be cataloged and analyzed to reveal vulnerabilities like outdated components, transitive dependencies, or malware and other indicators of compromise.

Integrity & Authenticity

Verify software authenticity to ensure that the software being installed in the BES Cyber System is from a legitimate source.

Foreign Influence

Gain insights into where open-source code is produced and to what degree a 3rd party library was developed in nations of adversarial intent


PRODUCE

Create SBOMs from binary or available source code to answer questions such as provenance, foreign adversary control and influence (FOCI), component obsolescence, vulnerabilities and compliance.


SHARE

A secure mechanism for sharing combined with patented blockchain solutions as well as software as a service option facilitates the secure sharing to downstream consumers of SBOM content.


CONSUME AND
TRANSFORM

Normalize and consume  supplier provided SBOMs and validate the documents are well formatted and suitable for machine reading.


ANALYZE

Identify vulnerabilities such as outdated components and transitive dependencies, malware and indicators of compromise, component integrity and authenticity, and FOCI


Producing an SBOM

The production of SBOMs as part of software development has been typically relegated to source composition analysis (SCA) but these are largely ineffective at analyzing legacy software, or software consisting of compiled binaries.

Fortress can create and analyze SBOMs using binary or available source code to answer questions such as provenance, foreign adversary control and influence (FOCI), component obsolescence, vulnerabilities and compliance with regulatory mandates such as National Defense Authorization Act and various presidential executive orders.

By also continuously monitoring software for indicators of compromise and authenticity concerns, the Fortress File Integrity Assurance (FIA) solution continually creates SBOMs for analysis in later phases of this lifecycle.


Analysis

Fortress applies a layer of interpretation to the standard SBOMs so clients can prioritize their security response based on things like criticality of the system, the vulnerability, and the software. Our SBOM analysis produces insights into areas not previously available at the software component level, including:

  • Vulnerability analysis, including the details of each CVE detected

  • Dependencies listing, along with Major and Minor version behind, and transitive dependencies behind

  • Graphics of the relationships between the vulnerable components

  • Component integrity and authenticity checks using available hashes and signatures

  • Malware scan of components

  • Foreign Ownership, Control, & Influence (FOCI) with provenance analysis of software contributor location on open-source projects

  • Location of HQ, facilities, and foreign ownership of corporate entities, software, foundations, etc.

  • Licensing information on each component, with answers to copyright and patent protections, use in commercial projects, and if modification code must be released

Components are searchable to quickly identify products containing the affected component, and with continuous monitoring, when new component vulnerabilities are discovered, we create proactive alerts on exactly which products are affected you can secure yourself faster.