Profile Applicability:
Level 1
Description:
Build and release pipelines must include automated steps to generate a Software Bill of Materials (SBOM) that details all components, libraries, and dependencies used in the software build. This SBOM should follow industry standards and be made available with the software release for transparency and security tracking.
Rationale:
Producing an SBOM enhances supply chain security by providing visibility into all software components. It supports vulnerability management, license compliance, and incident response by enabling organizations to understand exactly what is included in their software products.
Impact:
Pros:
Increases transparency of software composition.
Facilitates vulnerability detection and remediation.
Supports regulatory and compliance requirements.
Enhances supply chain risk management.
Cons:
Adds steps and complexity to build pipelines.
Requires maintenance and validation of SBOM generation tools.
Default value:
Many build pipelines do not automatically produce SBOMs, limiting visibility into software components.
Audit:
Review pipeline configurations to confirm SBOM generation steps are included. Inspect produced SBOMs for completeness and adherence to standards.
Remediation:
Integrate SBOM generation tools such as SPDX or CycloneDX into CI/CD pipelines. Educate development and operations teams on SBOM importance and usage.
References:
SPDX Specification: https://spdx.dev/specifications/
CycloneDX Standard: https://cyclonedx.org/
NTIA Software Component Transparency: https://www.ntia.gov/SBOM
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/