Sonatype launches SBOM Manager to enhance software security
Sonatype has announced the general availability of its Software Bill of Materials (SBOM) Manager product.
An SBOM is a detailed inventory of the various components used in software development, including versions, origins, and licensing specifics. It serves as a key tool for organisations to assess and address vulnerabilities within their software components, ensuring compliance with regulatory standards and preventing security breaches.
The new product provides development, security, and compliance teams with tools to manage both first and third-party SBOMs efficiently. "We are at a watershed moment where the healthcare ecosystem is becoming increasingly interconnected," said Smit Patel, Associate Program Director at the Digital Medicine Society (DiMe). "SBOMs are important and now part of overall FDA requirements for compliance, especially in healthcare that has such a complex software supply chain. Products must be cyber secure, and companies need to think about the regulatory strategy as part of their overall business strategy, allowing companies to continue to innovate."
Sonatype's SBOM Manager aims to streamline and automate various processes, including requesting, auditing, distributing, and monitoring SBOMs. This centralised repository enables organisations to keep up with emerging software security regulations from entities such as the US, EU, FDA, and PCI.
United States Executive Order 14028 initiated a number of SBOM-focused regulatory efforts aimed at evaluating the security of software. In addition, the NTIA's Minimum Elements for SBOMs and NIST's Secure Software Development Framework (SSDF) have set essential criteria, while the FDA has mandated SBOMs for all medical devices. International regulations, such as the EU's Digital Operational Resilience Act (DORA), Cyber Resilience Act (CRA), and Network and Information Systems Directive (NIS2), along with PCI 4.0 Security Standards, are also requiring SBOM-related security practices.
Mitchell Johnson, Chief Product Development Officer at Sonatype, stated, "The reality of financial ramifications, and in some cases criminal liability, for non-compliance with current and new regulations, is driving organisations to adopt SBOMs at a rapid pace. SCA is not enough. To properly adhere to these regulations you need clear visibility into which components are impacted by a vulnerability and remediation tracking across all in-house and third-party applications with that component. This can amount to proactively managing upwards of thousands, if not millions, of SBOMs."
Johnson further explained, "SBOMs are a crucial first step in software supply chain management. Without SBOMs, it is nearly impossible and incredibly time-consuming to pinpoint and resolve critical vulnerabilities, like Log4j, and malware risks across all software versions and third-party tools. With a single source to manage your SBOMs, you can proactively identify affected software and quickly remediate issues with industry-leading data, not just fast, but smart."
He added, "We have seen first-hand the incredible impact SBOM Manager has had not only on helping companies prepare for emerging regulations, but also to enhance their development productivity and security posture with continuous monitoring and protection throughout the life of an organisation's full portfolio of applications."
The enterprise-grade SBOM solution provides a cloud-based system of record with flexible deployment options, including SaaS, self-hosted, or Sonatype Air-Gapped Environment. The features of SBOM Manager include:
- Audit SBOMs: Simplifies compliance, identifies risks, and guides vendor negotiations through a smart and scalable database. Allows for detailed searches across all SBOMs to find specific components and vulnerabilities, and reporting on application risk across every SBOM in the portfolio based on organisational policy.
- Distribute SBOMs: Meets regulation and compliance standards, proving software security status. Embeds automated Vulnerability Exploitability eXchange (VEX) information in SBOMs, creating rules to scale and automate the VEX publication process, and exporting SBOMs in various industry-standard formats.
- Continuously Monitor SBOMs: Monitors first-party and third-party SBOMs for new security vulnerabilities and malware risks, using Sonatype's component intelligence. It also ingests SBOMs from the release pipeline to monitor current and past software versions, enabling version control to track software changes over time. Allows for searches across applications when new zero-days emerge, thereby keeping customers informed.