With Bytesafe and RKVST SBOM Hub
Guest Blog by Daniel Parmenvik – CEO of bytesafe.dev
For many, Software Bill of Materials (SBOMs) have changed from a manual list of assets for due diligence procedures to become an integral and automated part of software development.
The ever increasing appetite for open-source software translates into a need to keep track of software assets (or open-source dependencies) for all applications, at any given point in time. Together with new external requirements, mainly President Biden’s Executive Order on Cybersecurity in May 2021, organizations in all parts of the world got a much-needed push to finally take action and keep an up to date software inventory.
The industry responded with a variety of open source and proprietary solutions available to meet the need for SBOMs. All well and good, but unfortunately some nuances got overlooked in the process. Primary stakeholders for SBOMs like security and compliance teams are often left out in the cold, with overly complicated and technical solutions linked to the generation of the SBOM. For many, this created new barriers instead of the intended transparency.
Fortunately, there is an easier solution that does not require a computer science degree to create the SBOMs you need. Get a unified view of the code you are dependent on, identify risks and remediate faster with Bytesafe.
End-to-end security that protects before harm is done
Bytesafe takes a unique approach to combine identification of open source risk with security mechanisms to prevent harm before it is done.
The Dependency Firewall provides users with a secure source for all the proprietary and open-source packages your organization depends on – together with support for groundbreaking security policies that turn your company policies into actions.
Combined with Software Composition Analysis (SCA) and SBOM generation directly from Git repositories, identification of open source assets and risks is only a few clicks away.
The end result: A secure software supply chain – a necessity for any modern company.
In times of ransomware and where advanced supply chain attacks increased by 650% in 2021 there is simply no alternative. Unless you’re willing to accept and expose your company to high risk.
Security is a team effort
Security in Bytesafe is not hidden behind complex tooling, instead, security insights are transparent and accessible to both developers, SecOps and business stakeholders. Software Composition Analysis of Git code repositories is a perfect example.
Bytesafe analyzes projects and creates SBOMs based on files that are already available in your Git code repositories. No need to install any additional tools, all you need is the location of your Git repository and read access. After the initial setup is completed every action is easily manageable with UI based interactions.
Using Bytesafe to generate SBOMs, users get a range of benefits:
- Automatic identification of components: Code repositories can contain many different modules and programming languages, all with their own software composition.
- One tool. Multiple programming languages: No need to switch between tools to identify software assets of different types. Bytesafe automatically identifies the different parts of your projects and provides SBOMs for JavaScript, Java, .NET or even Golang.
- Track assets over time: In software development many focus on what’s in front of us at the moment. But in reality users need to keep track of every software asset in their organization all the time – for new as well as for older projects.
- Results and metrics available at a glance in a clean UI: Complex and unreadable information is the bane of compliance. Make sure the correct stakeholder gets access to the right metrics.
Create and share your SBOMs today
So you’re ready to generate an SBOM file and distribute it? Then I have good news! Getting started is easy and you can create your first SBOM – ready for distribution and sharing – in minutes. First of all, create your own Bytesafe workspace. It’s free to sign up and to get started!
Secondly, add the Git repository you want to know the software composition for. Use either the URL to a public or private Git repository (provide credentials if private) or use the convenient GitHub integration.
The first scan starts automatically. Bytesafe will identify any applicable components and software assets using the existing project files in the code repository.
The final step is to simply click on Download SBOM to get your file. A structured list for the parts of that piece of software, be it an individual component or the whole repository.
Sharing is caring with RKVST SBOM Hub
SBOMs from Bytesafe are JSON files in the rich CycloneDX format. Compatible out of the box with RKVST.
The next step is to publish the SBOM file to RKVST for storage and distribution. Fortunately, this is as easy as it was creating it and can be done manually or automated using common tooling.
Assuming you have an existing RKVST account and token (else see the getting started guide here) it’s a matter of posting the SBOM files providing the filename and SBOM type in a single line of code:
curl -X POST -H "Authorization: Bearer {TOKEN}" -F "sbom=@bytesafe_sbom_file.json" "
https://sbom.rkvst.io/archivist/v1/sboms?sbomType=cyclonedx-json
"
You’re Done! The SBOM – a complete list of software assets – has now gone from code in your Git repository, to inception in Bytesafe and finally to be shared privately or publicly in RKVST in a matter of minutes.