In the wake of major software supply chain cyber attacks such as Log4Shell, organizations worldwide are responding
by ramping up requirements for transparency in their vendor software supply chains.
Software vendors will face new requirements, including providing software bills of materials (SBOMs).

What is an SBOM?

Simply put, a Software Bill of Materials (SBOM) is a list of software dependencies that are used in a given piece of technology, from a software application, to a medical device, to an industrial machine. Much like a box of cereal would list its ingredients, software vendors are being asked to do the same.

Why does it matter?

SBOMs have been around as a concept for years.
However, the recent Log4Shell cyber attack brought the need for software supply chain transparency into focus. In that attack, Log4j - a widely-used logging application used by over 12 million Java developers – contained an exploitable vulnerability susceptible to remote code execution (RCE). Organizations were left scrambling to determine if any of their internal applications utilized an affected version of Log4j, and whether any of their vendors did.
In the case of third-party vendor exposure, the only solution was often to call
or e-mail suppliers one-by-one, which took weeks. In light of this serious, messy, time-consuming, and manual task, more and more organizations are turning to SBOMs to understand their third-party software supply chains

What is required?

Recently, several pieces of legislation have been adopted to require SBOMs of software vendors. Executive Order 14028 in May 2021 set requirements for federal agencies to begin requiring SBOMs. The FDA has issued draft guidance for medical device manufacturers suggesting that SBOM requirements are not far off. The Department of Defense (DoD) and other federal agencies and departments are also beginning to require SBOMs for new and existing contracts.

How do I generate an SBOM?

Manifest makes it easy to generate SBOMs utilizing the most modern SBOM-generation tools from organizations like OWASP. By deploying just a few lines of code in your CI/CD pipeline, engineers will generate SBOMs every time they compile and build their application and send those SBOMs directly to your Manifest repository for aggregation, monitoring, and alerting.
By adopting this zero-click SBOM generation approach, enterprises can comply with SBOM requirements without any developer distraction or overhead.

What do I do with my SBOMs?

SBOMs are only as valuable as what an enterprise does with them.
We at Manifest centralize SBOMs from across an enterprise, proactively scan them using data curated from seven different vulnerability databases, and automatically create alerts and tickets for your team to action.
What’s more, we filter out vulnerabilities with little-to-no probability
of exploit, ensuring that your team receives the highest signal-to-noise ratio we can provide.

Contact Us

Do you have SBOM requirements that you would like manage? Contact us to discuss how Manifest can help.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
(c) Manifest Cyber, Inc 2023