By Justin Cappos, Marina Moore, Trishank Karthik Kuppusamy, Cole Kennedy, Ian Dunbar-Hall
We’re happy to announce the launch of SBOMit – a tool to add in-toto attestations to SBOMs (Software Bills of Material). The SBOMit specification is a SBOM-format independent method for attesting components with additional verification information. These attestations are generated at the time the supply chain was generated, and this verification information, which uses in-toto layouts, can be validated by a party to get a high degree of assurances about the software. The project is hosted under the OpenSSF Security Tooling Working Group.
What are SBOMs and SBOMit?
SBOMs (Software Bills of Materials) are used to track a list of components, akin to ingredients, that constitute a software package. While various formats exist for storing SBOMs, and they can be signed for additional verification, there’s no inherent method to confirm whether all the processes involved in creating the software were properly executed to generate the final SBOM.
This is where SBOMit comes into play. An SBOM can be derived from an SBOMit document, formatted in any preferred SBOM style, and it references the original SBOMit document from which it was created. An SBOMit document is produced using in-toto attestations, which are generated during the software build steps. This document includes cryptographically signed metadata about every step involved in the software’s development, along with a policy outlining the required procedures. This approach significantly reduces the risk of accidental errors, such as skipping steps — a common historical issue — and makes it more challenging for malicious actions to go undetected. By utilizing in-toto attestations, SBOMit enhances the ability to securely recover from compromises and to detect and thwart malicious activities within an organization.
Next Steps and Get Involved
The SBOMit specification is available on GitHub, and we invite contributions. Our next plan includes onboarding new stakeholders, reaching out to early adopters, and collaborating with stakeholders to finalize the SBOMit Phase 1 specification, and for details, please refer to our roadmap. Here are our meeting notes, and we hold weekly meetings every Wednesday, please join us if you are interested in SBOMit.
About the Authors
Justin Cappos is a professor in the Computer Science and Engineering department at New York University. Justin’s research philosophy focuses on improving real world systems, often by addressing issues that arise in practical deployments.
Marina Moore is a PhD candidate at NYU focusing on supply chain security. While at NYU she has worked primarily on secure software updates through research and development on TUF and Uptane.
Trishank Karthik Kuppusamy is a PhD graduate of the NYU Tandon School of Engineering where he worked with Prof. Justin Cappos on software update security. He led the specification for Uptane, which aims to secure software updates for automobiles. He also worked on improving the security and efficiency of The Update Framework (TUF), a predecessor to Uptane, which is being integrated by Haskell, OCaml, Ruby, Rust, and Python, and is being used in production by LEAP, Flynn, VMware, DigitalOcean, Cloudflare, CoreOS, and Docker.
Cole Kennedy is a Founder and the CEO of TestifySec. He has contributed to the CNCF Supply Chain Security Best Practices Paper, The Cloud Native Security Best Practices Paper, The CNCF Secure Software Factory Reference Architecture, and is an inventor of a patent to enable zero-trust in grid edge systems (utility power systems).
Ian is Chief Engineer for Lockheed Martin Software Factory and specializes in DevSecOps and Cloud Native Computing. He is responsible for technical direction for repeatable development processes and tooling that is leveraged by across the company to expedite software delivery. He has been with Lockheed Martin Company for 15 years and spent the early years of his career as a flight software engineer focused on safety critical and navigation software. Over the past 7 years, a desire to improve developer tooling lead to launching modern enterprise wide services for CM and CI. Ian has a B.S in Computer Engineering from U.C. Santa Cruz and a M.S. in Mechanical Engineering from U.C. Los Angeles.