Defuse the Ticking Time Bomb - Create an SBOM With Every Build
Modern software projects are made up of tens or hundreds of open-source software (OSS) components. While this frees development teams to focus on core business logic, OSS components inject risk into applications. The log4shell and Spring4Shell zero-day vulnerabilities have highlighted the importance of understanding which versions of which OSS components are in use, and whether the included versions have any reported vulnerabilities against them. Without some level of automation, tracking these open-source components is a tedious and error-prone process.
In addition, customers are now asking for a software bill of materials (SBOM) to prove that all components in use are safe. I will describe our journey to move from a manual process to identify and review OSS components and their versions, to a fully automated process that produces a SBOM with every build. Along the way we evaluated both open-source and commercial ways of doing this, and then developed a homegrown solution based on open-source software. I will describe the challenges we faced and how we addressed them in a way that can be applied to your situation.
Nathan Jakubiak is Sr. Director of Development at Parasoft. He and his teams develop product capabilities in the areas of API testing (SOAtest), service virtualization (Virtualize), test environment management (CTP), UI testing (Selenic), and static analysis and unit testing (Jtest and C++test). He has been with Parasoft since 2000 and holds multiple patents related to software testing. He oversees product architecture and leads multiple distributed development teams utilizing the agile scrum methodology. Nathan leads his teams to build high-quality, well-architected software solutions with development processes that make sense.