The software supply chain has been in the news of late, and not for good reasons. Security incidents that have made headlines and led to costly damages have brought a lot of attention to this area. Perhaps the most noteworthy recent example of a vulnerability in the supply chain was the flaw with Apache Log4j discovered in late 2021. Logj4 is a Java package that’s located in the Java logging systems and is essentially a Java library for logging error messages in applications.
The idea of using software bill of materials (SBOM) is catching on with organizations, according to a new survey from Ponemon Institute and Rezilion. But deploying an SBOM in and of itself does not guarantee success. Organizations need to move toward Dynamic SBOMs that use automated features in order to provide much greater value. An SBOM is a list of all the components in a given piece of software.
In recent months there has been a lot of discussion around the importance of Software Bills of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) when it comes to managing software vulnerabilities. Organizations can combine the SBOM and VEX to get a more contextualized view of the actual risk present in their environment. In this blog post, we examine how SBOMs and VEX do not need to be 2 artifacts.
A software bill of materials – or SBOM – plays an important role in providing much-needed visibility into the details of software components and the supply chain. As an SBOM is developed, it should adhere to a format or standard that defines a unified structure for how it will be generated and shared with customers.