The Protobom project enables easy creation and translation of software bill of materials (SBOMs)
WASHINGTON, April 16, 2024 (GLOBE NEWSWIRE) — Open Source Security Foundation (OpenSSF), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Science and Technology (S&T) Administration of the Department of Homeland Security (DHS), today announced the launch and availability of Protobom, a new and innovative open source software supply chain tool . Protobom enables all organizations, including system administrators and software development communities, to read and generate software bill of materials (SBOM) and file data, as well as translate this data into industry standard SBOM formats. OpenSSF is further committed to facilitating the open source and collaborative development of Protobom, while encouraging the growth of the open source contributor community.
Key to enhancing software security and managing risk in the software supply chain, SBOM is a nested, formatted inventory that lists the components that make up software to include the supply chain relationships of the various open source and commercial components used in building software. Understanding the software supply chain, obtaining an SBOM and using it to analyze known vulnerabilities are critical to managing cybersecurity risk. There are currently multiple SBOM data formats and identification schemes, which presents a challenge for organizations seeking to adopt the use of SBOM. Protobom aims to alleviate this problem by offering a format-neutral data layer on top of the standard that allows applications to work seamlessly with any type of SBOM.
Protobom can be integrated into commercial and open source applications, which will promote the adoption of SBOM and make the creation and use of SBOM easier and cheaper. The Protobom tool can access, read and translate SBOMs in different data formats, ensuring seamless interoperability. By integrating Protobom into applications that link SBOM information with external vulnerability records and severity information from trusted sources, applications can provide information about available patches and mitigations.
“To defend against the growing number of software attacks, it is critical to use innovative tools that create a more transparent software supply chain,” said Melissa Oh, director of the Silicon Valley Innovation Program. “DHS is engaging with the startup community to develop technology that will shed light on risks within supply chains and strengthen organizations’ overall cybersecurity.”
“Software vulnerabilities are a key cybersecurity risk, and known exploits are the primary way bad actors can inflict a range of harm. By using SBOM as a key element of software security, we can mitigate risk to the software supply chain and respond to emerging risks faster and more effectively,” said Allan Friedman, CISA Senior Advisor and Strategist. “Protobom is a step towards greater efficiency and interoperability by translating widely used formats so that tools and organizations can focus on what matters. It’s a positive solution that helps shape a more transparent software-driven world.”
“Hosting Protobom marks a pivotal moment for OpenSSF and our work to secure open source software,” said Omkhar Arasaratnam, CEO of OpenSSF. “Protobom not only simplifies the creation of SBOM, but also empowers organizations to proactively manage the risk of their open source dependencies. The security of open source software requires a partnership between the public sector, the private sector and the community. OpenSSF is proud to be a part of this mission.”
To drive the market and drive adoption of SBOMs, CISA and DHS S&T’s SVIP collaborated and financed a group of seven startups for the development of Protobom. This cohort includes AppCensus, Inc., Chainguard, Inc., Deepbits Technology, Inc., Manifest Cyber, Inc., Scribe Security, TestifySec, and Veramine, Inc.
CISA, DHS S&T and OpenSSF look forward to continuing to partner and collaborate on critical initiatives to improve the security of the open source software ecosystem. The Protobom Project is a free resource to continue the evolution of software supply chain visibility and security. To learn more about Protobom, including how to support and contribute to the project, visit Protobom Web page and GitHub.
About OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative of the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, visit us at openssf.org.
About CIS
As the national cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads national efforts to understand, manage, and mitigate risks to the digital and physical infrastructure Americans rely on every hour and every day.
Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.
Media contact
Jennifer Tanner
Look left marketing
[email protected]
