Understanding SBOMs: An Introduction to Modern Development
0 likes307 views
The document provides an introduction to Software Bill of Materials (SBOMs), covering their definitions, standards, generation tools, and integration into development workflows. It emphasizes the importance of SBOMs for regulatory compliance, vulnerability management, and informed software procurement. Additionally, practical examples illustrate how SBOMs can aid in identifying software components and dependencies, alongside discussions on best practices and tools for generation.
Understanding SBOMs: An Introduction to Modern Development
- 1. Understanding SBOMs 1 An Intro to Modern Development
- 2. Housekeeping 2 01 02 03 All participant lines are muted Questions will be accepted throughout, enter questions via Q&A panel You will receive a follow-up email with a link to the recording 04 Please respond to poll questions as they are appear on your screen
- 3. Introductions 3 Josh Bressers VP of Security Alan Pope Director of Developer Relations Chris Phillips Senior Software Engineer
- 4. Today’s Topics 4 01 02 03 Defining SBOM standards and formats Best practices for generating and automating SBOMs Integrating SBOMs into existing infrastructure and workflows 04 Practical tips for protecting against emerging supply chain threats
- 5. Anchore Overview Select Public Sector Customers Select Enterprise Customers ● Founded in 2016 in California by ex-Ansible / Red Hat / Eucalyptus Founders ● Creators of Syft and Grype with tens of million downloads ● Anchore Enterprise deployed in the DOD and the largest technology vendors in the world since 2018 5
- 6. Software Bill of Materials 6 What an SBOM is, and why it matters
- 7. Bill of Materials (BOM) 7 A hardware BOM from a RepRap 3d Printer Hot end. ● Lists physical parts ● Includes quantities, part numbers ● Essential for production planning, inventory management, assembly https://reprap.org/wiki/RepRap
- 8. Software Bill of Materials (SBOM) 8 A small section from an SBOM. ● Machine and ~human readable file ● Lists all components and dependencies in your software. ● Industry-standard formats include SPDX, CycloneDX, and SWID for sharing SBOMs.
- 9. SBOM Generation Rationale ● Meet US and EU regulatory requirements ■ White House Executive Order (EO 14028) ■ EU Cyber Resilience Act ● Identify vulnerable components ■ E.g. Log4J ● Track licenses usage and legal compliance ● Make informed software procurement decisions ● Speed up incident response 9
- 10. SBOM Generation 10 Where SBOMs come from, and common standards
- 11. SBOM Formats - SPDX 11 ● ISO-standard format maintained by the Linux Foundation to document software components ● Tracks licenses, copyrights, and security details for each component in your software ● Strong industry adoption across major tech companies https://spdx.dev - The Linux Foundation's official SPDX site
- 12. SBOM Formats - CycloneDX 12 ● Created by OWASP specifically for security and supply chain analysis ● Excels at tracking both direct and indirect dependencies ● Includes support for containers, cloud services, and modern development needs https://cyclonedx.org/ - OWASP's official specification site
- 13. SBOM Generation tools 13 ● SPDX-Tools: Official Linux Foundation tool for generating SPDX SBOMs ● cdxgen: OWASP's native tool for creating CycloneDX SBOMs from software projects ● Syft: Anchore's universal SBOM generator, supporting multiple formats and container images. Integrated into Grype, Anchore’s vulnerability scanner. ● Microsoft SBOM Tool: Cross-platform tool supporting both SPDX and CycloneDX formats ● Tern: VMware's container-focused SBOM generator with support for multiple formats. ● Plus many ecosystem & language specific SBOM generators
- 14. Getting Started with Syft - DEMO 14 # Install Syft (varies by platform) # See: https://github.com/anchore/syft#installation curl -sSfL https:-/raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin # Generate human-readable SBOM from a small container published in docker hub syft alpine:latest # Generate SPDX SBOM, and write to a file and the console via jq syft alpine:latest -o spdx-json=alpine_latest_spdx.json -o spdx-json | jq . # Generate CycloneDX SBOM, and write to a file and the console via jq # /! Note: an older Alpine release syft alpine:3.10 -o cyclonedx-json=alpine_310_cyclonedx.json -o cyclonedx-json | jq . # Generate human-readable SBOM from a substantial container published in docker hub # /! ~420MB container download! # Takes >10s to run syft nextcloud:latest
- 15. Getting Started with Grype - DEMO 15 # Install Grype (varies by platform) # See: https://github.com/anchore/grype#installation curl -sSfL https:-/raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin # Generate human-readable vulnerability report from a small older container published in # docker hub. This will internally generate a new SBOM. grype alpine:3.10 # Analyze already-created SPDX SBOM for vulnerabilities (there will likely be none) grype alpine_latest_spdx.json # Analyze CycloneDX SBOM and output results in json format via jq grype alpine_310_cyclonedx.json -o json | jq . # Generate SBOM in Syft’s internal JSON format from a substantial container # published in docker hub. # Feed that SBOM to grype syft nextcloud:latest -o syft-json | grype
- 16. Syft Ecosystem Coverage 16 Alpine (apk) C (conan) C++ (conan) Dart (pubs) Debian (dpkg) Dotnet (deps.json) Objective-C (cocoapods) Elixir (mix) Erlang (rebar3) Go (go.mod, Go binaries) Haskell (cabal, stack) Java (jar, ear, war, par, sar, nar, native-image) JavaScript (npm, yarn) Jenkins Plugins (jpi, hpi) Linux kernel archives (vmlinuz) Linux kernel a (ko) Nix (outputs in /nix/store) PHP (composer) Python (wheel, egg, poetry, requirements.txt) Red Hat (rpm) Ruby (gem) Rust (cargo.lock) Swift (cocoapods, swift-package-manager) Wordpress plugins
- 17. SBOMs in Developer Workflows 17 Where SBOMs fit in Software Development
- 18. The Problem 18 Declared Dependencies Open Source Open Source Open Source Open Source Open Source Open Source Open Source Open Source Software Supplier Open Source Open Source Open Source Software Supplier Open Source Open Source Custom Code Transitive Dependencies Transitive Dependencies Transitive Dependencies Transitive Dependencies Transitive Dependencies Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Deployed Container Declared Dependencies Declared Dependencies Software Supply Chain Your Application Software complexity is increasing and makes it hard to know what is in your environment. How do you find the next Log4j? Code Build Runtime ? ? ? ? ? ! ! ! ! !
- 21. Practical Examples 21 SBOM Generation, Integration and benefits
- 22. Practical examples 22 Pull Image for analysis Table view shows list of installed packages found per ecosystem
- 23. Practical examples 23 JSON view can show packages with their associated filesystem locations. This helps vulnerability scanners pinpoint locations of vulnerable packages.
- 24. Practical examples 24 An SBOM can also come with a list of cpe, a PURL (Package URL), and ecosystem specific metadata as well as dependencies. These fields can help provide users identifiers that link their software dependencies across other data sets. These data sets are things like vulnerability data, compliance/license information, or internal build data that pinpoints when and where a dependency was added.
- 25. Practical examples 25 While SBOM are not perfect solutions, they can answer questions quickly like: “Find all files in my container that were classified as an ‘executable’”. The picture on the right is an example where the syft json output filtered for files with the `executable` field showing ELF formatted files, their imported libraries, and the security features associated with the binary.
- 26. Practical examples 26 The previous example can go even a step further to find all executables the might be missing a certain security feature a user is looking for in a compliant image. The photo on the right filters to find all executables in the image that do not have stack canaries set to true. Stack canaries or security cookies are tell-tale values added to binaries during compilation to protect critical stack values like the Return Pointer against buffer overflow attacks. If an incorrect canary is detected during certain stages of the execution flow, such as right before a return (RET), the program will be terminated. Their presence makes exploitation of such vulnerabilities more difficult.
- 27. Practical examples 27 SBOMs can also take a “negative” of an image and provide a user a report of things that were not cataloged or found to be a part of any structure/ecosystem. The photos on the right shows and example where we ask the output: “What archives, executables, and other artifacts came back not associated with elements or packages in the final document?”
- 28. Q&A 28
- 29. Summary 29 01 02 03 Industry standards in SBOM creation The importance of accurate tools, generating high quality SBOMs How SBOM generation is integrated into the development workflow 04 Practical reproducible examples
- 30. Next Steps 30 Sign up for SBOM Webinar #2 - Deep dive with Kate Stewart https://tinyurl.com/sbom-2 Learn more about Anchore Enterprise https://anchore.com/platform Visit our GitHub and Discourse github.com/anchore and anchore.com/discourse Learn how Google manage SBOMs at scale https://tinyurl.com/sboms-google