Tip

5 SBOM tools to start securing the software supply chain

Organizations can use these SBOM tools to help secure their software supply chain by understanding the components of their deployed software and applications.

Securing the software supply chain has become increasingly important over the last few years in response to numerous high-profile attacks targeting it, such as Sunburst, Log4j and Heartbleed.

One method growing in popularity is to use a software bill of materials (SBOM). Like a manufacturing-based bill of materials, an SBOM lists all the software components used to create a specific application. SBOMs include the following:

  • A list of all components, including shared objects, libraries and middleware.
  • A description of all licenses used.
  • The current software patch status of all components.

By understanding what is used within deployed software, organizations can quickly find and patch any vulnerabilities in it before malicious actors can take advantage of them.

Many companies offer products to help organizations build their SBOM. The following are five SBOM vendors worth considering.

1. Anchore

Anchore offers proprietary software and open source options for SBOM generation. Smaller organizations can use its two open source tools to help with SBOM generation: Syft, a command-line tool, and Grype, a vulnerability scanning tool. Syft creates an SBOM using container images and file systems, while Grype searches for vulnerabilities within the images and file systems. The tools can be used together within the software development lifecycle (SDLC) and be kept in the same centralized repository. Anchore products support multiple SBOM formats, including CycloneDX and Software Package Data Exchange.

The company also offers Anchore Enterprise for large and enterprise organizations. With this tool, companies can generate SBOMs at each stage in the development process that list every software component, including direct and transitive dependencies.

Anchore Enterprise is available in Team, Business, Ultimate and Ultimate+ tiers. Contact the company for pricing.

2. Fossa

Vulnerability management vendor Fossa offers an open source SBOM tool that can work alongside its vulnerability management product. It enables software developers to get an accurate view of interdependencies among the various code modules and third-party licenses used in the development of a project. Fossa's vulnerability management tool can then be used to detect security vulnerabilities that could be introduced into the SBOM. For example, it limits false positives and detects fake licensing entries. The tool also alerts teams when a breach is detected. The Fossa API connects to a database of open source projects and metadata to offer teams detailed statistics and updates.

One of Fossa's biggest strengths is it is compatible with popular version controls, including GitHub and GitLab.

Fossa is available in three tiers: Free, Business for $52 per month or Enterprise. Contact Fossa for a customized Enterprise quote.

3. Mend.io

Mend.io, formerly WhiteSource, offers SBOM generation capabilities as part of its software composition analysis tool, Mend SCA. The tool helps identify open source libraries in use and documents each component and its dependencies.

The tool's key strengths include an undivided focus on vulnerability remediation, scalability, false positive detection and automatic SBOM updates.

Users can request a free trial. Pricing for Mend SCA Advanced starts at $16,000 per year for 20 software developers; Mend Static Application Security Testing Advanced starts at $16,000 per year for 20 developers; Mend SCA and SAST Advanced start at $24,000 per year for 20 developers; and Mend Premium Package is designed for companies with more than 500 developers. Contact the company for pricing.

4. Rezilion

Rezilion, which caters to DevSecOps teams, offers an SBOM generation tool called Dynamic SBOM. This tool gives software development teams complete visibility into all the software components used in the creation of a project. Teams can ascertain and remediate any vulnerabilities that may occur in the course of the SDLC. Dynamic SBOM also provides the ability for real-time monitoring and updating.

Rezilion offers a free Basic tier, which provides unlimited SBOM generation and limited vulnerability scans and analysis. Premium and Enterprise tiers are also available. Contact the company for pricing.

5. Vigilant Ops

Vigilant Ops' InSight Platform is a SaaS-based SBOM tool designed for healthcare, energy, manufacturing and similar industries. It offers SBOM compliance certification for auditing and keeping SBOMs up to date with component updates, as well as component validation, SBOM management and distribution, and automated vulnerability discovery. With the SBOM tool, teams can also create a component listing for legacy tools.

Vigilant Ops offers a free trial for SBOM generation. Contact the company for InSight Platform pricing.

Dig Deeper on Application and platform security