Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document SBOM use cases #3

Open
joshbressers opened this issue Aug 4, 2022 · 4 comments
Open

Document SBOM use cases #3

joshbressers opened this issue Aug 4, 2022 · 4 comments
Labels
action

Comments

@joshbressers
Copy link
Contributor

TODO: What are the use cases?
Document needs to fleshed out and structured.
SBOM Use Cases for Security

Kathy Goeschel will take point
Bunny Hernandez
Cameron Banowsky
David Wheeler willing to take a pass at adding in his thoughts.
Ran Dall
@joshbressers
Copy link
Contributor Author

We need to better define the scope and definitions for these use cases

@mrutkows
Copy link

This list of SBOM use cases relative to the data needed under CDX was invaluable to me in assessing completeness of SBOMs during SDLC...
https://cyclonedx.org/use-cases/

@hepwori
Copy link

hepwori commented Aug 17, 2022

This from NTIA is a good SBOM use cases reference which I've found useful: https://www.ntia.gov/files/ntia/publications/ntia_sbom_use_cases_roles_benefits-nov2019.pdf

@anthonyharrison
Copy link

I wrote a blog post which identified 4 use cases for SBOMs all related to managing risk:

  • SBOMs should form part of your vulnerability management process by using them to scan for vulnerabilities when acquiring software from the supply chain and also understanding your vulnerability posture when releasing software to your users. As vulnerabilities are being discovered continuously, vulnerability scanning of released software should be proactively performed so that your users can be informed of any new vulnerabilities as they are discovered.
  • SBOMs can also be used as part of an integrity checking process for components received from the supply chain as the metadata associated with each component typically includes checksums which are used primarily to protect against accidental corruption. These checksums can be used to validate that the components ‘as received’ are ‘as produced’ by the supplier. Cryptographically strong checksum algorithms may be used to detect deliberate corruption or to confirm the desired version of a component, if multiple versions are available.
  • The continued use of obsolete or no longer supported software is a key risk to any solution, as this increases the potential that vulnerabilities could be exploited. By monitoring the supported versions of components against an SBOM, identification of software which may need additional measures in order to limit the likelihood of compromise can be performed.
  • And finally using SBOMs to ensure that the components are being used in accordance with their licence is still a very important use case to consider as part of the overall risk management associated with the supply chain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
action
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hepwori @joshbressers @mrutkows @anthonyharrison