Content
The OWASP Foundation, in collaboration with Singapore’s Cyber Security Agency (CSA), has issued an advisory focusing on the use of Software Bill of Materials (SBOM) to enhance vulnerability management in open-source and third-party software dependencies. This advisory emphasizes the adoption of OWASP CycloneDX, a standardized SBOM format ratified by Ecma International as ECMA-424, and highlights the joint efforts among OWASP, Ecma International, and CSA to promote this approach. The advisory also introduces OWASP Dependency-Track as the primary platform for consuming and analyzing SBOMs, providing developers with practical tools and examples to integrate this process into their workflows.
The integration of open-source software (OSS) in development projects brings significant cybersecurity challenges, particularly from vulnerabilities in third-party dependencies. High-profile security incidents such as Log4j and Heartbleed illustrate the risks: many organizations struggled with compromised systems during the Log4j incident due to insufficient software component visibility, while Heartbleed led to the theft of millions of medical records by exploiting vulnerabilities in the OpenSSL library. Studies show that an average software project contains approximately 69 dependencies and over five critical vulnerabilities, increasing the risk of breaches if developers lack full knowledge of application components.
This advisory targets software developers who incorporate OSS and third-party dependencies, recognizing that while many are aware of cybersecurity risks, they often lack sufficient guidance or resources to enforce robust security practices during software creation and deployment. It proposes a sustainable, automated approach to vulnerability management by utilizing SBOM combined with real-time vulnerability monitoring, which can greatly improve the efficiency and effectiveness of managing software risks.
Traditionally, managing OSS dependencies manually is labor-intensive and error-prone. Developers need to scour through complex codebases to identify vulnerable components, which delays remediation efforts. SBOM offers a structured, formalized record of software components, granting full visibility into the software environment. This transparency enables developers to swiftly pinpoint and address vulnerabilities, reducing technical debt and future remediation burdens. By integrating SBOM tools into continuous integration and continuous deployment (CI/CD) pipelines, organizations can automate SBOM creation, signing, and alerting processes, thereby enabling real-time monitoring of emerging vulnerabilities.
The SBOM also fosters collaboration across development, security operations, and incident response teams, boosting holistic vulnerability management and accelerating response times. This collaborative approach minimizes operational complexity and supports proactive risk mitigation without hindering innovation. Integrating SBOM generation into CI/CD processes ensures that vulnerability awareness keeps pace with evolving software components, allowing immediate action on newly discovered threats.
The advisory outlines a three-step approach for vulnerability management through SBOMs. First is tool selection: the chosen tool must accurately identify all software components and dependencies, including indirect ones, and integrate seamlessly with CI/CD pipelines such as GitHub Actions or GitLab CI/CD. Second is generating and signing the SBOM in compliance with recognized standards like CycloneDX or SPDX, ensuring authenticity and traceability through cryptographic signing and publishing to transparency logs. Third is proactive vulnerability management: publishing the SBOM to secure repositories where tools like OWASP Dependency-Track can automatically ingest the data for continuous monitoring and early detection of vulnerabilities.
Developers are advised to consider that SBOM comprehensiveness depends on the manifest files generated, and obscure programming languages may reduce detection accuracy. For SaaS and closed-source software, requesting SBOMs from third-party providers is critical, or alternatively employing runtime or binary-based SBOM tools to capture dynamically loaded components or compiled binaries. Upon identifying vulnerabilities, developers must notify their third-party providers for remediation. It is also essential to verify the exploitability of detected vulnerabilities to avoid overwhelming teams with false positives, ensuring focused and effective remediation efforts.
