Software bills of materials, or SBOMs, have become a hot topic in the past year—especially since May 2021, when White House cybersecurity executive order 14028 indicated that vendors selling software to the government would need to submit a SBOM showing the software “ingredients” in their products and vouching for their security and provenance.
The use case for SBOMs became even more clear when, last December, a level 10 security vulnerability was discovered in a popular Java logging component, Log4j. In response to the ongoing fallout from the vulnerability the media named Log4Shell, the United States Federal Trade Commission issued an alert warning organizations of the urgent need to remediate the vulnerability quickly or risk possible fines akin to those Equifax paid (over $600M!) after it was hacked via the Apache Struts vulnerability.
When it comes to generating SBOMs and keeping them up to date, Tidelift can help. We make it possible for organizations to generate and automatically keep an accurate SBOM up to date, showing the open source software ingredients and versions your applications are using. With the Tidelift Subscription in place, future Log4Shell-like vulnerabilities can quickly be identified and remediated.
The Tidelift Subscription can also help shine a light on all the nooks and crannies where an impacted component like Log4j might be used within your software supply chain. The Tidelift Subscription helps track both direct and also transitive dependencies—which means you have a much more accurate picture of all of the open source components in use within the organization.
In this short video, Tidelift solutions architect Sean Wiley shows how you can generate a software bill of materials and keep it up to date using the Tidelift Subscription.