By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. To protect software supply chain, the more recent executive order (14028) calls for the implementation of Software Bill of Materials (SBOM). A SBOM is a list of all the third-party components used in a codebase, and it contains information like licenses, versions, and sub-packages for security teams to evaluate component reputation or identify security and license risks.
Software bill of materials (SBOM) generation is the first step to realizing the benefits of SBOMs. Most of the existing SBOM analysis tools require the presence of target programs’ source code in order to identify third-party components and dependencies. However, that is not enough because:
- The vendors of imported libraries may not release their source code or their SBOMs, rendering the existing SBOM analysis tools ineffective.
- Vendor-produced SBOMs may be corrupted or not accurate. Those SBOMs need to be audited before being imported into the SBOM management platform. Existing tools cannot meet this need when the source code of the target program is not available.
- There are a huge amount of legacy systems whose source code is no longer available. Legacy systems are still running critical services but current solutions cannot produce SBOMs for them due to the missing of source code.
- Current applications usually are integrated with many SaaS services (e.g., Stripe, Auth0). Existing tools only consider the software components in the application, ignoring these integrated SaaS services.
To address the aforementioned challenges, we developed Deepbits - the code intelligence platform that efficiently generates SBOM directly from executable code using patented Code AI technology. It uncovers components of executable code even if they are statically linked in and enables visibility that is far beyond other solutions. SBOMs are further processed to identify vulnerabilities, malware, license violations, and other threats in the software supply chain.
Interested readers can also try our free Software Supply Chain Arsenal including:
Updated 7 months ago