Manage Your Application Risk with Eracent’s SBOM Analysis
An overwhelming majority of commercial and custom applications contain open source code. Typical vulnerability analysis tools do not inspect individual open source components within applications, although any one of these components may contain vulnerabilities or obsolete code that can put you at risk.
In response to ongoing breaches, President Biden issued Executive Order 14028. This order defines security measures that must be followed by any software publisher or developer that does business with the federal government.
The Software Bill of Materials (SBOM)
One of these measures includes providing a Software Bill of Materials – or SBOM – which lists a complete inventory of components that make up a software application. SBOMs follow National Institute of Standards and Technology (NIST) guidelines for consistent content as well as approved human- and machine-readable file formats: SPDX, CycloneDX and SWID.
SBOMs typically contain the following information about applications:
- Open source code
- Proprietary code
- Associated licenses
- Versions in use
- Download locations for components
- • Sub-dependencies that the dependencies link to.
Eracent’s ICSP Application Risk Management module provides an additional, critical level of protection to minimize software-based security risks. The toolset reads the content of SBOMs and matches each listed component to the most currently available vulnerability data, which is constantly updated in Eracent’s IT-Pedia® IT Product Data Library. This process provides instant visibility into any component-level vulnerabilities that need to be mitigated. It also identifies obsolete code that has not been updated recently and may pose a security risk.
Fortify your organization’s security with the additional level of protection provided by SBOM analysis. To learn more about the process and see a demo of the ICSP Application Risk Management module, contact Eracent today.