By Josh Bressers, Anchore
This month, we present a spotlight on the SBOM Everywhere initiative, housed under the OpenSSF Security Tooling Working Group. The mission of the Security Tooling Working Group is to identify, evaluate, improve, develop & ease deployment of universally-accessible, developer focused tooling to help the open source community secure their code. Most developers are not security experts and even the most seasoned developers, security experts or not, make mistakes. Tools can be used to help weed out security defects allowing developers to focus on the features they want to develop.
The SBOM Everywhere Special Interest Group came from OpenSSF’s Open Source Software Security Mobilization Plan. The SBOM Everywhere SIG focuses on improving SBOM tooling and training to drive adoption.
SBOM, which stands for software bill of materials, is a machine-readable list of software’s internal components. SBOMs have a number of use cases, the most common today is to more easily identify vulnerabilities and understand software supply chains to improve the security of software systems.
Highlights of the Past Few Months
One of the jokes the SBOM Everywhere group has is we don’t want to actually do any work. What we mean by this is we want to empower and encourage open source projects to be self-sufficient. There are millions of open source projects, there’s no way we can help every one of them, we have to find ways to let projects help themselves.
We have some ideas on how to accomplish this, but a huge part of what we are currently doing revolves around understanding the current challenges around using SBOMs. For example, what are the use cases? What are the incentives for open source projects? What tools are available for easily generating SBOMs? What will outreach to open source projects look like?
On the surface these seem like easy questions, but the devil is in the details. Open source isn’t one thing, it’s a huge collection of people and projects, and every single one has their own needs and motivations. We are working very hard to understand the big picture around using and creating SBOMs in open source.
New and Upcoming Initiatives
We have a number of things we hope to see movement on in the near future (and could use some help with, if you’re looking to join the effort). With all the excitement around AI, there are some efforts to catalog the training content for a language model. SPDX and CycloneDX are both working to track this data, so how can we help push that effort forward? We have a need to explore this further since we know this will be important in the near future.
We want to create a landscape for tracking all the SBOM tools, companies, formats, and use cases, similar to how the Cloud Native Computing Foundation (CNCF) has created a great interactive map of the cloud native landscape. The world of SBOM is remarkably large, so it’s very hard to keep track of everything. We expect an industry-supported landscape will help us all navigate the world of SBOMs.
And one of our most ambitious plans is to take the things we are working on now and find a few open source projects to partner with. They will get SBOM generation for their projects and we will learn what is needed to successfully enable SBOM generation in an open source project. This knowledge should allow us to create a playbook for any open source project interested in generating SBOMs. We’ve all seen examples of how different theory and practice is. Much of what we have today is theory, we want to turn it into practice.
Get Involved
We would love to see you involved in the SBOM Everywhere effort. There is a lot of work to do in order to better understand how to bring SBOMs to all of open source. We’re looking for help from all walks of life. Being able to write documentation is just as important as writing code (maybe it’s more important). No matter what skills you may have, there’s a task for you!
Learn more about the SBOM Everywhere SIG and Security Tooling WG, or get involved, on our GitHub page and stay tuned to learn more about the initiatives we are working on! We hold meetings every other Tuesday at 11:05 Eastern, and you are welcome to join our meetings and help with our initiatives.
About the Author
Josh Bressers is Vice President of Security at Anchore. Josh has helped build and manage product security teams for open source projects as well as several organizations. Everything from managing supply chains, vulnerabilities, security development lifecycle, DevSecOps, security product management, security strategy, and nearly any other task that falls under the security umbrella. Josh co-hosts the Open Source Security Podcast and the Hacker History Podcast. He also is the co-founder of the Global Security Database project to bring vulnerability identification into the modern age.