Getting started with Software Supply Chain security and SBOMs

Getting started with Software Supply Chain security and SBOMs is a guide that helps to methodically strengthen an organization's security stance using SBOMs. We recommend taking a step-by-step approach, to progressively enhance defenses as laid out in this guide.

Implementing a robust SBOM workflow enables organizations to effectively support and adhere to frameworks like NIST SP 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations and ISO 27001, thus helping with identifying, evaluating, and mitigating risks throughout the software supply chain.

This guide aims to equip your organization, regardless of its current security maturity level, with the knowledge and tools necessary to implement a strong software supply chain security. From foundational practices to advanced strategies, we'll guide you through integrating SBOMs into your DevSecOps processes.

Getting started with SBOMs using a practical step-by-step approach

Step-by-step guide

Step 1: Creating an Inventory of Critical Assets

The first step involves identification and prioritization of key software assets, often termed as "Crown Jewels," which are vital for the operational continuity and security of the organization. Read more

Step 2: Producing SBOM for your own Applications and Libraries

Following the compilation of a critical asset inventory, this step guides you on generating an SBOM with the use of freely available tools. Read more

Step 3: Vendor and supplier SBOMs

In many cases, vulnerabilities in third-party components can expose your organization to risks, this chapter talks about how to manage 3rd party ICT risk and other external services and products using externally sourced SBOMs. Read more

Step 4: Analyzing Findings and Vulnerabilities

With a comprehensive inventory of software assets and SBOMs in hand, you are well-positioned to dive into the critical process of vulnerability analysis. In this step we cover the process of translating the transparency gained from SBOMs into actionable insights. Read more

Step 5: Shifting Left and Prioritization

Managing risk early in the software development lifecycle (SDLC), commonly referred to as "shifting left" coupled with the strategic prioritization based on risk, ensures that security is a fundamental component of the development process, rather than an afterthought. Read more

Step 6: Defining Policies and Acceptable Risk Levels

Establishing clear security policies and determining acceptable risk levels are crucial components of a robust cybersecurity risk management strategy. By crafting well-articulated policies, organizations can ensure their security practices are in harmony with their overarching security goals. Read more

Step 7: Continuous Monitoring and Improvement

In the realm of cybersecurity, vigilance is not a one-time effort but a continuous process. This chapter discusses the strategies for implementing continuous vulnerability management and the methodologies for measuring and enhancing the security posture over time. Read more

Step 8: Sharing SBOMs with Customers and Regulatory Entities

Sharing SBOMs with customers and regulatory entities is a crucial step in the cybersecurity maturity journey. It not only enhances transparency and builds trust with customers but also ensures that organizations remain compliant with regulatory requirements. Read more

Start reading: Step 1: Creating an Inventory of Critical Assets

Use cases