Continuous Security in DevSecOps: Introducing the Dynamic SBOM
By Baksheesh Singh Ghuman
Today’s announcement of the general availability of our Dynamic Software Bill of Materials (SBOM) marks an important milestone in Rezilion’s mission to make it easier for organizations to eliminate software risk. There is a lot of buzz around how organizations should improve security across the Software Development Life Cycle (SDLC), either by shifting left or shifting right. There are arguments on both sides that justify one approach over the other. But organizations can’t achieve holistic security by shifting left or shifting right alone. Both approaches aim to push the burden of security either early in the development phase or later in the operational/production phase based on how security controls are set up in the environment. This ensures that any exploitable vulnerabilities are caught and remediated before the product is released.
Faced by unprecedented pressure to release secure products quicker, development and product teams must balance security with agility. This additional work, complexity, lack of clarity, and lack of proper tooling is causing key challenges, including:
- Lack of focus when it comes to vulnerabilities
- Delays in remediation/time-to-fix lead to delays in time to market
- Longer attack windows allow increased opportunity for threat actors to attack
- Friction between developers and security teams
To address these challenges, we need to adopt a dynamic SBOM in order to implement continuous security. Continuous security is a security strategy that aims to “integrate” security end-to-end within the development and production workflow in an automated and streamlined way and that does not create additional work, nor shifts the burden of responsibility to a single party. The fact that security is integrated, automated, and streamlined allows the stakeholders to implement a holistic strategy. In order to implement a continuous strategy, organizations need a tool that allows them to tie all the pieces together. The dynamic SBOM does this. It can help organizations elevate vulnerability management in their software ecosystem from development to production, and even to operations.
Dynamic SBOMs as a driver of Continuous Security
So, what is a dynamic SBOM? A dynamic SBOM is a continuous inventory of all software components present in your environment or product that updates in real time whenever there is a change. This change can be a new component added, a change in code, a new version of the software, or even a change in exploitability state. The goal is that it is continuously updated to accurately reflect the composition of your software environment or product. Another feature of the dynamic SBOM is the mapping of vulnerabilities to the discovered components. This establishes exploitability context using runtime analysis highlighting which vulnerabilities are exploitable or not exploitable in a particular environment. The dynamic SBOM also builds on the exploitability context so that organizations can prioritize and remediate vulnerabilities to address their risk and gain one of the biggest competitive advantages – time. With a dynamic SBOM you can track this continuously. The final aspect that makes dynamic SBOMs such a valuable tool is the ability to enforce security policies based on the organization’s acceptable risk.
Let’s explore the many reasons why a dynamic SBOM is the driver of a continuous security strategy.
- Dynamic SBOMs are integrated within the SDLC workflow and not a separate and external process or artifact. They are full stack and full cycle making them an ideal tool for end-to-end security.
- Dynamic SBOMs are automated, created, and updated automatically at predefined stages of your product lifecycle (SDLC). This ensures that at any given lifecycle stage you know exactly what is in your software and what has changed. This tracking helps you manage your builds and ensures that flaws are not ignored or pushed further down the line without getting addressed/remediated.
- The dynamic SBOM gives you a running list and details of all software components present, whether they are proprietary,open source, third party, or even components that are reaching the end of life. This level of visibility and detail allows organizations to manage their supply chain risk, plan their policies and create a whitelist/blacklist for different components as well as hold vendors accountable.
- Dynamic SBOMs give you a real time status on vulnerabilities that are exploitable and not exploitable. This real time status consists of available/applied patches, any advisories from various vulnerability databases, removal of vulns that are no longer exploitable (change of status), etc. This real time status allows organizations to manage their risk proactively.
- Dynamic SBOMs are searchable and allow you to search for components such as packages or images or files as well as vulnerabilities so that you can proactively look for known vulnerabilities in your environment and product and avert/prevent/reduce impact of attacks.
- Dynamic SBOMs also show dynamic data like network activity, memory analysis, etc. so that you get additional contexts to your components and their associated posture.
- Dynamic SBOMs drive security throughout the different states of the product lifecycle. Since they are automatically created, constantly updated, and are compressive in their discovery, dynamic SBOMs can be used as security gates from one stage to another in a non-intrusive, automated, and integrated manner helping organizations streamline and enforce security policies across products and business units.
- Dynamic SBOMs can track drift and alert on any changes, so there is no need to maintain multiple versions of SBOMs and compare them for change manually. This automated drift detection and alerting help security teams to make sure no unauthorized code or components are added to the product.
- Dynamic SBOMs also provide information on provenance of the components which basically means that it can track the origins of the components and whether it is third party or open source so that organizations can properly manage their supply chain risk.
- Dynamic SBOMs save organizations time. This is a powerful value that is unique to what Rezilion does.
a) By reducing their vulnerability backlog and focusing on what really matters, developers save time and can focus on innovation
b) Prioritization allows security teams to remediate faster
c) Reduced remediation times lead to a shortened time-to-market
d) By fixing vulnerabilities quickly, security teams reduce the attack window reducing the time attackers have to exploit a vulnerability
With dynamic SBOMs you don’t have to shift left or shift right. Dynamic SBOMs represent a new approach of continuous security which is integrated, automated, streamlined, and enforced at predefined stages within the workflow so that developers don’t waste time and product security teams gain time-to-market. It’s a win-win for both product security and developers.