There are already so many words and concepts in information security: why do we need another one? And indeed ‘attestation’ is already used in several industry contexts with many subtly different meanings: what do we gain by overloading it?

Regulatory demands now make an SBOM an essential in any organization. The Biden Administration released a memo in September 2022 that directs federal agencies to adopt guidelines from the National Institute of Standards and Technology (NIST) for securing software used by the federal government and attest to its security.

Attacks targeting the software supply chain are on the rise. Indeed, data from the Mend Open Source Risk Report shows a steady quarterly increase in the number of malicious packages published in 2022, with a significant jump in Q3, which jumped 79 percent from Q2. The European Cybersecurity Agency (ENISA) predicts that supply chain attacks will increase fourfold by 2022.

2022 was the year of the rise of the SBOM. This time of year, we take a look back at the havoc wreaked by breaches–that occurred in 2021 and earlier. The fallout from SolarWinds and Kaseya cyberattacks continued into 2022, which poignantly illustrated how vulnerable the software supply chain is. The Log4j open-source vulnerability at the end of 2021 further illuminated the need for visibility around hard-to-find flaws.

On December 8th, Clinton Herget and Simon Maple, Field CTOs at Snyk, had the opportunity to chat with Corey Quinn, Chief Cloud Economist at The Duckbill Group, podcast host, curator of “Last Week in AWS”, and snarky Twitter personality. Their conversation took a lot of fun turns, from ranting about the hour-long line to get coffee at AWS re:Invent, to Corey proclaiming that “SBOMs are a fantasy” (there’s more context to that… keep reading).

Red Hat OpenShift is an enterprise Kubernetes container platform. It lets you build Docker images and use them to deploy your applications on a cloud-like environment (even if it’s not really on the cloud, rather a simulated cloud environment). Images built in OpenShift can be easily pushed into JFrog Artifactory – JFrog’s leading universal repository manager.

That’s an excerpt from the fact sheet accompanying the May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO). It refers to one of seven ambitious measures in the EO: shoring up security of that notorious playground for hackers, the software supply chain. Knowing that organizations lack visibility into the components that comprise their connected assets, bad actors can have a field day exploiting vulnerabilities to penetrate networks and take control.

With an average of 500 components in an application, it’s difficult to know what’s in your software. The right security tools and expertise are here to help. A software Bill of Materials (SBOM) is an inventory of what makes up a software application: the “ingredients list” of everything in it. There’s pressure today for companies to make SBOM information available, and it has implications for who is liable when there are issues in the software.

PA Consulting recently joined forces with RKVST to host a Hackathon, looking to identify new and innovative propositions for digital supply chains. Could the teams of PA consultants and analysts identify opportunities to help their clients using RKVST technology? Short answer: YES! Many of today’s business challenges can be addressed with a reliable evidence ledger. If you want the long answer, read on.