Cybeats Technologies Corp (Cybeats) has announced that Unisys, Cybeats, Ceritas, DeltaDAO and the National Manufacturing Institute of Scotland (NMIS) have launched a supply chain intelligence project to develop a common framework for ensuring transparency and consistency across industries.
Cybeats is a cybersecurity company providing Software Bill of Materials (SBOM) management and software supply chain intelligence technology to help organizations manage risk and secure their software. This week’s announcement aims to ultimately improve the efficacy of commercial security solutions like Cybeats’ SBOM Studio , a solution that helps organizations understand and track third-party components that are an integral part of their software.
A SBOM is a list of all the open source and third-party components present in a codebase. In addition, an SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, all of which help security teams identify any associated security or license risks. The idea of a SBOM comes from manufacturing, where a Bill of Materials is an inventory detailing all of the items included in a specific product.
According to a report from Synopsys, in 2021 there were several high-profile security breaches caused by supply chain attacks. These types of attack prompted U.S. President Biden to issue a cybersecurity executive order detailing guidelines for how federal departments, agencies, and contractors working with the government must secure their software. One of the recommendations included a requirement for a SBOM, which was added to ensure safety and integrity of software applications used by the federal government in the U.S..
In addition to the Cybeats announcement, the Linux Foundation, a nonprofit organization focused on fostering innovation through open source, also announced the launch of the Digital Bill of Materials (DBoM) Project, that will see collaboration from leading supply chain intelligence and security organizations including Unisys, Cybeats, Ceritas, DeltaDAO and the NMIS. The DBoM Project’s mission is to provide an open ecosystem for policy-enforced data source and attestation sharing, and, the foundation said, this founding group brings together the expertise, scale, and the skill diversity required.
“The security and efficiency benefits of emerging supply chain intelligence such as Software Bill of Materials (SBOM) is driving the requirement for open source attestation sharing ecosystems like the one that the Linux Foundation Digital Bill of Materials (DBoM) Project represents,” said Chris Blask, vice president of strategy at Cybeats. “Cybeats is proud to join the Linux Foundation and such reputable organizations as represented in this release in pursuing this important project and looks forward to contributing to the security of global supply chains.”
Every individual and organization has been impacted by supply chain operations over the past few years due to pandemic related disruptions, the Cybeats announcement reported. Reliable and standardized manners of sharing intelligence, like the SBOMs, have become a critical issue in recent years. The DBoM open attestation infrastructure will provide a valuable means of storing and sharing these attestations between supply chain partners, Cybeats said.
It also noted that, in 2019, members of the Unisys Innovation team created the DBoM structure to allow supply chain partners to attest to agreed upon supply chain data. The nature of supply chains warranted that this type of structure would best serve the industry as open source with the use of open standards. The DBoM Node code was also released as open source in December 2020 on GitHub.
The DBoM Project aims to accelerate activities to support its mission, which includes growing the community of DBoM coders, collaborating on proofs of concept for broader use cases, establishing labs, and hosting working groups.
“DBoM is the solution that the critical infrastructure sector needs; it provides uniformity and transparency in a cyberwarfare world where both are in short supply,” said John Taplett, co-founder of Ceritas, a member of the DBoM project. “Solutions that scale are the only solutions that matter, and in DBoM, the market has created its own peer-to-peer mechanism. One of the most vital parts of the DBoM peer-to-peer standardization is its market and consortium origin; you can regulate to compliance, but only a market-generated solution can ensure cybersecurity.”