New Tool Launched by Open Source Security Foundation and US Government to Simplify Software Bill of Materials Management
The Open Source Security Foundation (OpenSSF) has partnered with the US government to introduce a new tool aimed at streamlining Software Bill of Materials (SBOMs) management for organizations.
Named Protobom, this open source software tool will facilitate the reading and generation of SBOMs and file data for all organizations. It will also help translate this data across standard industry SBOM formats.
Protobom can be integrated into applications that connect SBOM information with external records of vulnerabilities and severity information from trusted sources. This will enable system administrators and software development communities to access information on available patches and mitigations for specific software components.
Offering seamless interoperability across commercial and open source applications, Protobom is capable of accessing, reading, and translating SBOMs in various data formats.
The tool addresses the challenge of multiple SBOM data formats and identification schemes that hinder organizations from adopting SBOM usage, according to OpenSSF, a non-profit forum focused on enhancing open-source software security.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) collaborated with OpenSSF to fund a group of startups in developing Protobom.
Omkhar Arasaratnam, General Manager of OpenSSF, emphasized the importance of Protobom in simplifying SBOM creation and aiding organizations in managing the risk of their open source dependencies. He highlighted the need for collaboration between the public and private sectors as well as the community to enhance open source software security.
SBOMs have gained traction in recent years as they provide transparency around software components, licenses, and code dependencies within an organization. They help identify vulnerabilities and security issues, especially following notable software supply chain incidents such as SolarWinds in 2020, Kaseya in 2021, Log4j in 2022, and MOVEit in 2023.
President Joe Biden issued an Executive Order in May 2021 mandating SBOM requirements for software suppliers to federal agencies. Additionally, in October 2023, three US government agencies proposed rules for federal contractors mandating the development and maintenance of SBOMs for software used in contracts.
The US National Cybersecurity Strategy unveiled in March 2023 aims to promote the wider adoption of SBOMs nationwide, advancing the principle of security by design.
Allan Friedman, CISA Senior Advisor and Strategist, praised Protobom’s interoperability capabilities as a significant step towards a more transparent software-driven world. He emphasized the role of SBOMs in mitigating cybersecurity risks posed by software vulnerabilities and enhancing the response to emerging threats.
