Software Bill of Materials (SBOM)

Modern applications rely on open source and third-party software for a majority of their code base. Many of those software building blocks come with vulnerabilities and license risks that organizations must manage to avoid supply chain security incidents that can result in data breaches. Software Bill of Materials (SBOMs) improve supply chain security by maintaining inventories of software components and dependencies used to build and deliver applications.

Deepfactor helps engineering and security teams produce, operationalize, and consume SBOMs at scale as part of the software development lifecycle (SDLC). The Deepfactor portal produces SBOMs in industry-standard formats (SPDX, CycloneDX) and provides a searchable and filterable human-readable interface to help security teams quickly respond to zero day vulnerabilities, developers fix vulnerabilities, and customers verify the supply chain security of their software.

SBOM Security: Top 5 Reasons to Build SBOMs Into Your Pipeline Read the Whitepaper

// Software Bill of Materials:

SBOM Executive Order

As part of U.S. presidential executive order 14028, the National Institute of Standards and Technology (NIST) and Office of Budget and Management (OMB) have issued guidance that requires organizations selling software to the U.S. Government to produce SBOMs for each software product. Deepfactor automatically creates and manages SBOMs as part of the SDLC to improve supply chain security and comply with the June, 2023 deadline set by the U.S. Federal Government.

Read the Executive Order 14028—Improving the Nation’s Cybersecurity >

Read NIST Guidance—Software Supply Chain Security Guidance Under Executive Order 14028 >

Read the OMB Memorandum—Enhancing the Security of Software Supply Through Security Software Development Practices >

// Software Bill of Materials:

Producing SBOMs

Using industry standard CycloneDX and SPDX machine-readable formats, Deepfactor can automatically generate SBOMs when software builds are checked into code repositories. Unlike traditional tools that scan a repository, Deepfactor can automatically group multiple software components into a complete application SBOM, while also maintaining the ability to view and download SBOMs at a component level.

Watch the On-Demand Webinar: Integrating SBOMs into Your SDLC By the Biden Executive Order June Deadline >

Read the Blog: Deepfactor 3.2 Adds SBOM and Runtime Correlation for SCA To Help Customers Improve Supply Chain Security >

// Software Bill of Materials:

Dynamic SBOM

In addition to automatically identifying vulnerable dependencies and packages, Deepfactor also generates a dynamic SBOM. With this, developers can observe—and be alerted on—file usage, code interactions, resource utilization, license violations, and network behavior to avoid compliance violations and protect against supply chain attacks happening after releasing into production.

Watch this short Deepfactor demo video > >

// Software Bill of Materials:

Runtime Correlation of SBOM Vulnerabilities

Deepfactor not only scans static container images, but also observes running applications in dev/test environments, providing detailed usage information, severity, CVSS scores, and license violations. With this contextual information, developers can simplify triaging —combating “alert fatigue”— accelerate remediation efforts, and even gate builds that don’t satisfy security and licensing policies.

Watch this short Deepfactor demo video >

  • SBOM Executive Order

    // Software Bill of Materials:

    SBOM Executive Order

    As part of U.S. presidential executive order 14028, the National Institute of Standards and Technology (NIST) and Office of Budget and Management (OMB) have issued guidance that requires organizations selling software to the U.S. Government to produce SBOMs for each software product. Deepfactor automatically creates and manages SBOMs as part of the SDLC to improve supply chain security and comply with the June, 2023 deadline set by the U.S. Federal Government.

  • Producing SBOMs

    // Software Bill of Materials:

    Producing SBOMs

    Using industry standard CycloneDX and SPDX machine-readable formats, Deepfactor can automatically generate SBOMs when software builds are checked into code repositories. Unlike traditional tools that scan a repository, Deepfactor can automatically group multiple software components into a complete application SBOM, while also maintaining the ability to view and download SBOMs at a component level.

  • Dynamic SBOM

    // Software Bill of Materials:

    Dynamic SBOM

    In addition to automatically identifying vulnerable dependencies and packages, Deepfactor also generates a dynamic SBOM. With this, developers can observe—and be alerted on—file usage, code interactions, resource utilization, license violations, and network behavior to avoid compliance violations and protect against supply chain attacks happening after releasing into production.

  • Runtime Correlation of SBOM Vulnerabilities

    // Software Bill of Materials:

    Runtime Correlation of SBOM Vulnerabilities

    Deepfactor not only scans static container images, but also observes running applications in dev/test environments, providing detailed usage information, severity, CVSS scores, and license violations. With this contextual information, developers can simplify triaging —combating “alert fatigue”— accelerate remediation efforts, and even gate builds that don’t satisfy security and licensing policies.

Other Use Cases

Supply Chain Icon

Supply Chain Security >

Devsecops Icon

DevSecOps >

Drift Analysis Icon

Cloud Native Application Security Compliance >

Compliance icon

Compliance >

SBOM On Demand for Feature
On-Demand Webinar:

Integrating SBOMs into Your SDLC By the Biden Executive Order June Deadline

Whitepaper:

SBOM Security: Top 5 Reasons to Build SBOMs Into Your Pipeline

News

Deepfactor Integrates SBOM Production, Operations, and Consumption to Help Businesses Comply with Supply Chain Security Executive Order Deadline