By Deb Radcliff, industry analyst and editor of CodeSecure’s Talk Secure educational content (syndicated at Security Boulevard, YouTube, and Bright Talk).
There’s been a lot of buzz around Software Bills of Material (SBOMs), essentially an ingredient list of all software components, their versions, origins, and known vulnerabilities. Developers have been the first to adopt SBOMs to look at dependencies as they build products. However, confusion around frameworks, standards, documentation, and naming systems is holding back widespread interpretation and usage of SBOMs on the consumer side.
There are several working groups trying to solve these problems. The Open Worldwide Application Security Project (OWASP) has been particularly busy with multiple working groups to make SBOMs useful to developers and security practitioners at their customer organizations.
In this show, we’re lucky to have Tom Alrich, Leader of OWASP SBOM Forum project, who wrote the book “Introduction to SBOM and VEX,” along with his close associate, Steve Springett, Chair of the OWASP CycloneDX Bill of Materials Standard. These are two major OWASP efforts underway to solve the naming problem with VEX documentation, and a standard framework for the software supply chain with CycloneDX.
Supplying the VEX (Vulnerability Exploitability eXchange) documentation, for example, would help consumers of SBOMs narrow down the myriad vulnerabilities across their SBOMs to the small percentage that actually need addressing. Think of VEX as additional documentation with the SBOM, Tom explains. Between language expression, and connectivity to the CVE (Common Vulnerability Exchange) that developers and buyers most commonly refer to, VEX can help solve the problem of vulnerability prioritization when these issues are resolved.
But in its current stage, VEX is just an idea, contends Springett. In addition to OWASP, he says, “Other work the NTIA and CISA is doing in shaping VEX is noble, and we have multiple standards that implement that idea in a few different ways—some of which are tied to advisories like CISA, some of which are very minimal and idealistic to that format, like OpenVEX, and some under other formats like Cyclone for formatting that information.”
In this show, Tom and Steve share the best use cases for VEX and SBOMs, how SBOMs are becoming a natural part of the build pipeline, alternatives to VEX, upcoming proof of concept exercises on specifications under development, and plans for a secure SBOM transparency exchange API to share artifacts and intelligence across software supply chains.
Resources:
Get Tom’s book, “Introduction to SBOMs and VEX,” and connect with Tom on LinkedIn for his email address.
OWASP SBOM Forum
CycloneDX Guides to SBOM, CBOM (Cryptographic BOMs), attestations, and more.
OWASP BOM Maturity model, a TalkSecure interview with Steve Springett
SBOM Use Cases, a TalkSecure whitepaper
SBOM Examples, a TalkSecure whitepaper
How CodeSentry BCA (Binary Composition Analysis) works with CycloneDX and other formats to generate SBOMs.
