Thursday, June 20, 2024

OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs

Software DevelopmentOpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs


A number of security-focused groups have announced they are teaming up on a new open-source project to help secure software supply chains: Protobom.

The project was created jointly by the Open Source Security Foundation (OpenSSF), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security Science and Technology Directorate (DHS S&T). 

Protobom allows companies to read software bill of materials (SBOM) data, create their own SBOMs, and translate SBOMs into different standard formats. 

According to OpenSSF, there are many SBOM formats and schemas out there, which can be challenging for companies. The goal of the new project is to provide a “format-neutral data layer on top of the standards that lets applications work seamlessly with any kind of SBOM.”

OpenSSF also explained that by integrating Protobom into applications that link SBOM and vulnerability information, organizations will be able to more quickly access the necessary patches and mitigations to keep their software supply chains safe. 

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently,” said Allan Friedman, senior advisor and strategist at CISA. “Protobom is a step towards greater efficiency and interoperability by translating across the widely used formats so that tools and organizations can focus on what’s important. It is a positive solution that helps shape a more transparent software-driven world.”

Omkhar Arasaratnam, general manager of OpenSSF, added: “Protobom not only simplifies SBOM creation, but also empowers organizations to proactively manage the risk of their open source dependencies. The security of open source software requires partnership between the public sector, private sector and the community. The OpenSSF is proud to be a part of this mission.”

Check out our other content

Check out other tags:

Most Popular Articles