Ask any manufacturer what a BOM is, and he or she can answer in their sleep. For decades, manufacturers have used a Bill of Materials (BOM) to document complex manufactured goods down to their smallest components – enabling them to track the origin and status of each component in any given product. This way, for example, an engine manufacturer can always know exactly which engines of the hundreds of thousands produced contain a flawed part, and thus which cars need to be recalled to rectify that flaw.
What is an SBOM?
Similarly, the traditional concept of Software Bill of Materials (SBOM) is familiar to development stakeholders. An SBOM lists the name, version, license and any vulnerabilities of your open source components, as well as the components in those components used to develop and build a piece of software. The SBOM is important for quality control and crucial for software supply chain security.
Software supply chain security, like cybersecurity as a whole, is top of mind for most DevOps teams. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains. These attacks are increasingly sophisticated and difficult to detect. To counter this existential threat, software suppliers need to understand exactly what’s included in their code. They need to be able to identify the source of a vulnerability F-A-S-T in order to remediate before the entire supply chain is threatened.
The problem is, an SBOM doesn’t actually cover the entire software supply chain. SBOM’s are static lists of mapped open-source software dependencies. These lists simply do not go far enough to provide the end-to-end security and integrity a dev pipeline needs. SBOMs only scan part of the software supply chain. Thus, despite best efforts of SBOM providers, today’s software supply chains remain a black box. The most pressing challenge in software supply chain security is how to turn that black box into a source of security and business intelligence.
That’s why we created PBOM (Pipeline Bill of Materials) technology.
What is a PBOM?
Ox Security’s PBOM technology provides a real-time list of software lineage, from the first line of code all the way to release – while identifying and preventing threats along the way. PBOM was designed from the ground up to ensure the integrity of every build, helping DevOps/DevSecOps verify that all apps in production are secure and eliminating the attack surface.
More than just an SBOM-like inventory of components in your production apps, a PBOM is a dynamic list of everything a piece of software has gone through. It starts with the first line of code and continues all the way through to release, identifying any vulnerabilities along the way.
PBOM delivers automated and comprehensive tracking of each component in your software supply chain and the processes associated with that component – from planning and code to deployment. Light-years beyond an SBOM, a PBOM is a signed ledger of each pipeline build. A PBOM tracks the entire software life cycle, including all version lineage, SLSA.dev, SaasBOM, security tool results, build hashes, and more.
What can PBOM do for me?
PBOM maximizes software supply chain security and integrity with an automated process that covers all software, from the first line of code, delivering:
Complete pipeline security – PBOM technology automatically tracks all pipeline branches, builds, pull requests, tickets, known issues and vulnerability management, to enable full visibility into your organization’s security posture.
Comprehensive integrity – PBOM ensures that software is built from the correct sources and dependencies and hasn’t been modified during the build process. It verifies that no “bad” code is submitted without alert and review and no malicious code is pushed via a compromised pipeline.
Full traceability – PBOM continuously monitors every pipeline change – from proper documentation of changes and updating BOM consumption, to tracing each of your software releases.
PBOM enables dev stakeholders to verify that each version or artifact provided to external customers has been checked properly and the release is “worthy”. It empowers dev teams to compare artifacts in production to the PBOM ledger to ensure tractability on each release. And it helps them gain visibility into each pipeline in the internal build environment – marking each artifact with a proper security tag.
The Bottom Line
The software industry’s long reliance on SBOMs has left large parts of the software supply chain attack surface in the dark. Now, PBOM technology offers a new standard for software supply chain security. It provides DevOps teams with full visibility over the software supply chain attack surface – source code, pipeline, artifacts, container images, runtime assets, and applications. It continuously monitors security changes to the environment – ensuring that the software supply chain does not drift from its original secure state. What’s more, PBOM delivers clear and actionable remediation strategies, with a list of prioritized risks and recommendations that take into consideration context and company business objectives.
Most importantly, in a development ecosystem that demands both speed and security – PBOM minimizes the attack surface without impeding developer agility, preventing software supply chain attacks without slowing down development.
For more information on how PBOMs can help streamline your software supply chain security, contact firstname.lastname@example.org today.