It has been nearly a year since the President Biden’s Executive Order 14028 catapulted Software Bills of Materials (SBOMs) from niche topic to the forefront of efforts to improve security of cyber supply chains. Since then not only have federal agencies including NIST and CISA delivered significant amounts of guidance and insight, but SBOMs have been the subject of intense debate across developer communities and beyond.

Guest Blog by Daniel Parmenvik – CEO of bytesafe.dev For many, Software Bill of Materials (SBOMs) have changed from a manual list of assets for due diligence procedures to become an integral and automated part of software development. The ever increasing appetite for open-source software translates into a need to keep track of software assets (or open-source dependencies) for all applications, at any given point in time.

Today we make RKVST available for public use with a free access tier so you can discover what a Zero Trust Fabric can do for you. From tracking software supply chain lifecycles to nuclear waste, RKVST is a powerful tool that builds trust in multi-party processes, when it’s critical to have high assurance in data for confident decisions. But before going all the way you can start simple: tracking software releases and contents with SBOMs.

Since President Biden’s Executive Order last spring, the industry has been racing to define, standardise and now produce SBOMs to describe the hundreds of thousands of software products sold to and used by federal government and beyond. So far, little thought has been given to the management of SBOMs in practice. Finding the right SBOMs for all the software an organisation relies upon can already feel like hunting for needles in haystacks.

Jitsuin met Meterian in the NCSC Cyber Runway Accelerator launched in November 2021. What we quickly realized is that automated generation and permissioned sharing of SBOMs would save valuable time in vulnerability discovery and mitigation. So we moved fast to fix things! The integration between Meterian’s Boost Open-Source Software Scanner (BOSS) and Jitsuin’s RKVST SBOM Hub enables software publishers to automatically generate, store and distribute SBOMs in public or private.

The whole point of an SBOM is lost if you keep it a secret. Here we reveal our secrets of the ideal SBOM exchange. Let us know if we’ve missed anything in RKVST SBOM Hub. SBOMs are made for sharing and are the gifts that keep on giving, but only if they get to the right place at the right time to drive the right critical decision. The first critical decision, or moment of truth, is whether to buy a vendor’s product.

The timing of CISA’s SBOM-a-rama today and tomorrow coincides with the fallout from the “vulnerability of the decade” gifting the industry with yet another example of why scaling and operationalizing the widespread use of SBOMs is so vital. Log4Shell is a 10/10 vulnerability in a hugely popular Java logging library – Log4j – used in virtually every online service. For two decades it was considered harmless, that is until last week when somebody found it wasn’t.

Today we’re pleased to announce the RKVST SBOM Hub – the first place to find and fetch SBOMs. RKVST SBOM Hub is a secure, immutable, any-to-any framework that integrates into both publisher and subscriber workflows to massively simplify the effective sharing of SBOMs to help all parties comply with the Executive Order. Try it out for yourself here.

The Presidential Executive Order made it clear that the status quo, where the hidden vulnerabilities in cyber supply chains left doors wide open to attackers, can no longer be allowed to persist. It correctly identified transparency as the key principle to build trust and Software Bills of Material as a critical first step of the solution. But while much of the current debate is focused on how to build SBOMs, further and deeper thinking is needed on how to share them.