Modern applications rely on open source and third-party software for a majority of their code base. Many of those software building blocks come with vulnerabilities and license risks that organizations must manage to avoid supply chain security incidents that can result in data breaches. Software Bill of Materials (SBOMs) improve supply chain security by maintaining inventories of software components and dependencies used to build and deliver applications.
Deepfactor helps engineering and security teams produce, operationalize, and consume SBOMs at scale as part of the software development lifecycle (SDLC). The Deepfactor portal produces SBOMs in industry-standard formats (SPDX, CycloneDX) and provides a searchable and filterable human-readable interface to help security teams quickly respond to zero day vulnerabilities, developers fix vulnerabilities, and customers verify the supply chain security of their software.
SBOM Security: Top 5 Reasons to Build SBOMs Into Your Pipeline Read the Whitepaper
// Software Bill of Materials:
SBOM Executive Order
As part of U.S. presidential executive order 14028, the National Institute of Standards and Technology (NIST) and Office of Budget and Management (OMB) have issued guidance that requires organizations selling software to the U.S. Government to produce SBOMs for each software product. Deepfactor automatically creates and manages SBOMs as part of the SDLC to improve supply chain security and comply with the June, 2023 deadline set by the U.S. Federal Government.
Read the Executive Order 14028—Improving the Nation’s Cybersecurity >
Read NIST Guidance—Software Supply Chain Security Guidance Under Executive Order 14028 >
// Software Bill of Materials:
Producing SBOMs
Using industry standard CycloneDX and SPDX machine-readable formats, Deepfactor can automatically generate SBOMs when software builds are checked into code repositories. Unlike traditional tools that scan a repository, Deepfactor can automatically group multiple software components into a complete application SBOM, while also maintaining the ability to view and download SBOMs at a component level.
// Software Bill of Materials:
Dynamic SBOM
In addition to automatically identifying vulnerable dependencies and packages, Deepfactor also generates a dynamic SBOM. With this, developers can observe—and be alerted on—file usage, code interactions, resource utilization, license violations, and network behavior to avoid compliance violations and protect against supply chain attacks happening after releasing into production.
// Software Bill of Materials:
Runtime Correlation of SBOM Vulnerabilities
Deepfactor not only scans static container images, but also observes running applications in dev/test environments, providing detailed usage information, severity, CVSS scores, and license violations. With this contextual information, developers can simplify triaging —combating “alert fatigue”— accelerate remediation efforts, and even gate builds that don’t satisfy security and licensing policies.
- SBOM Executive Order
// Software Bill of Materials:
SBOM Executive Order
As part of U.S. presidential executive order 14028, the National Institute of Standards and Technology (NIST) and Office of Budget and Management (OMB) have issued guidance that requires organizations selling software to the U.S. Government to produce SBOMs for each software product. Deepfactor automatically creates and manages SBOMs as part of the SDLC to improve supply chain security and comply with the June, 2023 deadline set by the U.S. Federal Government.
- Producing SBOMs
// Software Bill of Materials:
Producing SBOMs
Using industry standard CycloneDX and SPDX machine-readable formats, Deepfactor can automatically generate SBOMs when software builds are checked into code repositories. Unlike traditional tools that scan a repository, Deepfactor can automatically group multiple software components into a complete application SBOM, while also maintaining the ability to view and download SBOMs at a component level.
- Dynamic SBOM
// Software Bill of Materials:
Dynamic SBOM
In addition to automatically identifying vulnerable dependencies and packages, Deepfactor also generates a dynamic SBOM. With this, developers can observe—and be alerted on—file usage, code interactions, resource utilization, license violations, and network behavior to avoid compliance violations and protect against supply chain attacks happening after releasing into production.
- Runtime Correlation of SBOM Vulnerabilities
// Software Bill of Materials:
Runtime Correlation of SBOM Vulnerabilities
Deepfactor not only scans static container images, but also observes running applications in dev/test environments, providing detailed usage information, severity, CVSS scores, and license violations. With this contextual information, developers can simplify triaging —combating “alert fatigue”— accelerate remediation efforts, and even gate builds that don’t satisfy security and licensing policies.
Other Use Cases
Supply Chain Security >
DevSecOps >
Cloud Native Application Security Compliance >
Compliance >
