FILE INTEGRITY ASSURANCE
Software Bill of Materials (SBOM)
A Method for Prioritization of Software Vulnerabilities
Establish the security and integrity of your cyber supply chain.
A Software Bill of Materials (SBOM) provides those who produce, purchase, and operate software with information that enhances their understanding of their the supply chain to enable multiple benefits, most notably a potential method for tracking known and newly emerged vulnerabilities and risks.
An effectively prepared and analyzed SBOM can be invaluable in addressing critical infrastructure cybersecurity challenges, but the sheer volume of documents and data they generate create their own set of challenges. Fortress provides a mechanism to automatically process and correlate elements of an SBOM to known risk attributes:
SBOMs can be cataloged and analyzed to reveal vulnerabilities like outdated components, transitive dependencies, or malware and other indicators of compromise.
Integrity & Authenticity
Verify software authenticity to ensure that the software being installed in the BES Cyber System is from a legitimate source.
Gain insights into where open-source code is produced and to what degree a 3rd party library was developed in nations of adversarial intent
Create SBOMs from binary or available source code to answer questions such as provenance, foreign adversary control and influence (FOCI), component obsolescence, vulnerabilities and compliance.
A secure mechanism for sharing combined with patented blockchain solutions as well as software as a service option facilitates the secure sharing to downstream consumers of SBOM content.
Normalize and consume supplier provided SBOMs and validate the documents are well formatted and suitable for machine reading.
Identify vulnerabilities such as outdated components and transitive dependencies, malware and indicators of compromise, component integrity and authenticity, and FOCI
Producing an SBOM
The production of SBOMs as part of software development has been typically relegated to source composition analysis (SCA) but these are largely ineffective at analyzing legacy software, or software consisting of compiled binaries.
Fortress can create and analyze SBOMs using binary or available source code to answer questions such as provenance, foreign adversary control and influence (FOCI), component obsolescence, vulnerabilities and compliance with regulatory mandates such as National Defense Authorization Act and various presidential executive orders.
By also continuously monitoring software for indicators of compromise and authenticity concerns, the Fortress File Integrity Assurance (FIA) solution continually creates SBOMs for analysis in later phases of this lifecycle.
Fortress applies a layer of interpretation to the standard SBOMs so clients can prioritize their security response based on things like criticality of the system, the vulnerability, and the software. Our SBOM analysis produces insights into areas not previously available at the software component level, including:
Vulnerability analysis, including the details of each CVE detected
Dependencies listing, along with Major and Minor version behind, and transitive dependencies behind
Graphics of the relationships between the vulnerable components
Component integrity and authenticity checks using available hashes and signatures
Malware scan of components
Foreign Ownership, Control, & Influence (FOCI) with provenance analysis of software contributor location on open-source projects
Location of HQ, facilities, and foreign ownership of corporate entities, software, foundations, etc.
Licensing information on each component, with answers to copyright and patent protections, use in commercial projects, and if modification code must be released
Components are searchable to quickly identify products containing the affected component, and with continuous monitoring, when new component vulnerabilities are discovered, we create proactive alerts on exactly which products are affected you can secure yourself faster.