The importance of securing the software supply chain has grown over the past few years, due to the increasing number of cyber attacks targeting it. Several high-profile attacks such as Sunburst, Log4j, and Heartbleed have raised concerns and highlighted the need for organizations to take measures to protect their systems and the data they handle.
To address this issue, many organizations are turning to software bill of materials (SBOM) as a way to secure their software supply chain. SBOMs are similar to manufacturing-based bills of materials, which list all the materials and components used to make a product. In the case of software, an SBOM lists all the software components used to create a specific application, including shared objects, libraries, and middleware.
SBOMs also provide a description of all licenses used and the patch status of all components. By having this information, organizations can quickly find and patch any vulnerabilities before malicious actors can exploit them. Several companies offer products to help organizations build their SBOM, and the following are five SBOM vendors worth considering.
1. Anchore
Anchore offers both proprietary software and open-source options for SBOM generation. For smaller organizations, the two open source tools it offers can help with SBOM generation – Syft, a command-line tool, and Grype, a vulnerability scanning tool. Syft creates an SBOM using container images and file systems, while Grype searches for vulnerabilities within the images and file systems. The tools can be used within the software development lifecycle (SDLC) and kept in the same centralized repository. Anchore products support multiple SBOM formats, including CycloneDX and Software Package Data Exchange.
Anchore Enterprise is available for large and enterprise organizations. Companies can use this tool to generate SBOMs at each stage of the development process that list every software component, including direct and transitive dependencies. Anchore Enterprise is available in Team, Business, Ultimate, and Ultimate+ tiers, and pricing depends on which tier a company chooses.
2. Fossa
Vulnerability management vendor Fossa offers an open-source SBOM tool that can work alongside its vulnerability management product. The tool enables software developers to get an accurate view of the interdependencies among the various code modules and third-party licenses used in the development of a project. Fossa’s vulnerability management tool can then be used to detect any security vulnerabilities that could be introduced into the SBOM. This tool also limits false positives and detects fake licensing entries and alerts teams when a breach is detected. Fossa is compatible with popular version controls, including GitHub and GitLab. Fossa is available in three tiers: Free, Business for $52 per month, or Enterprise, and customized enterprise quotes are available by contacting Fossa.
3. Mend.io
Mend.io, formerly known as WhiteSource, offers SBOM generation capabilities as part of its software composition analysis tool. Mend SCA helps identify open source libraries in use and documents each component and its dependencies. This tool focuses on vulnerability remediation, scalability, false positive detection, and automatic SBOM updates. Mend SCA Advanced starts at $16,000 per year for 20 software developers, and Mend Static Application Security Testing Advanced starts at the same price for 20 software developers. Mend SCA and SAST Advanced start at $24,000 per year for 20 developers, and Mend Premium Package is ideal for companies with more than 500 developers. Contact Mend.io for pricing details.
4. Rezilion
Rezilion is a DevSecOps tool that offers an SBOM generation tool called Dynamic SBOM. This tool provides complete visibility into all the software components used in the creation of a project. Teams can identify and remediate any vulnerabilities in the course of the SDLC, and Dynamic SBOM provides real-time monitoring and updating. Rezilion offers a free Basic tier, which provides unlimited SBOM generation and limited vulnerability scans and analysis. Premium and Enterprise tiers are also available, and pricing is available by contacting Rezilion.
5. Vigilant Ops
Vigilant Ops InSight Platform is an SaaS-based SBOM tool designed for healthcare, energy, manufacturing, and similar industries. It offers SBOM compliance certification for auditing and keeping SBOMs up to date with component updates, as well as component validation, SBOM management and distribution, and automated vulnerability discovery. With the SBOM tool, teams can also create a component listing for legacy tools. Vigilant Ops offers a free trial for SBOM generation, and InSight Platform pricing is available by contacting them.
In conclusion, securing the software supply chain is crucial to protect organizations from cyber threats. SBOMs can provide organizations with a complete view of the software components used in their systems, and they can quickly find and patch vulnerabilities. While several companies offer SBOM products, the five vendors listed above offer excellent options that organizations can consider to secure their software supply chain.