The Open Source Security Foundation (OpenSSF), in collaboration with the US government, has launched a new tool to simplify Software Bill of Materials (SBOMs) management for organizations.
Protobom, the new open source software tool, will help all organizations read and generate SBOMs and file data, as well as translate this data across standard industry SBOM formats.
It is designed to be integrated into applications that link SBOM information with external records of vulnerabilities and severity information from trusted sources. Therefore, it can provide system administrators and software development communities with information on available patches and mitigations for particular pieces of software.
Protobom offers seamless interoperability across all applications, both commercial and open source, and is able to access, read and translate SBOMs in various data formats.
OpenSSF, a non-profit cross-industry forum focused on improving open-source software security, said the tool will overcome the issue of multiple SBOM data formats and identification schemes, which makes it harder for organizations to adopt SBOM usage.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) have worked with OpenSSF, funding a cohort of seven startups to develop Protobom.
Omkhar Arasaratnam, General Manager of OpenSSF, commented: “Protobom not only simplifies SBOM creation, but also empowers organizations to proactively manage the risk of their open source dependencies.
“The security of open source software requires partnership between the public sector, private sector and the community. The OpenSSF is proud to be a part of this mission,” Arasaratnam said.
Meeting Growing SBOM Requirements
A Software Bill of Materials (SBOM) is a list containing an inventory of software components, licenses and code dependencies in an organization.
This provides transparency around software, identifying potential vulnerabilities and other security issues, which has come into the spotlight in recent years following numerous high-profile software supply chain incidents.
These include SolarWinds in 2020, Kaseya in 2021, Log4j in 2022 and MOVEit in 2023, which have led to hundreds and even thousands of organizations to be hit through a single vulnerability.
In May 2021, US President Joe Biden issued an Executive Order specifying requirements for SBOMs among software suppliers to federal agencies.
In October 2023, three US government agencies proposed new rules for federal contractors which would require them to develop and maintain a software bill of materials (SBOM) for any software used to deliver a contract.
The US National Cybersecurity Strategy, introduced in March 2023, also aims to advance the use of SBOMs more widely across the nation, boosting the principle of security by design.
Allan Friedman, CISA Senior Advisor and Strategist, believes Protobom’s interoperability capabilities provide a major step towards a more transparent software-driven world.
“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently,” explained Friedman.