Developers in today's fast-paced environment often incorporate open-source repositories and proprietary packages into their software, making it crucial for enterprises to gain a comprehensive understanding of their software estates. The Software Bill of Materials (SBOM) has emerged as a vital component in software security and supply chain risk management. According to Gartner’s Innovation Insight for SBOMs, adoption is expected to soar, with 60% of organizations mandating and standardizing SBOMs into their software engineering practices by 2025, up from less than 20% in 2022. SBOMs are also mandated as a prerequisite deliverable for all organizations transacting with government agencies and regulated organizations. (i.e. Executive Order on Improving the Nation’s Cybersecurity from the White House)
An SBOM represents a nested inventory or list of ingredients that constitute software components. Apart from the components themselves, SBOMs encompass essential details about the libraries, tools, and processes used during the development, build, and deployment of a software artifact.
However, creating and maintaining an SBOM can be a challenging task, requiring a complete inventory of all applications and the ability to generate SBOMs at various stages of the software deployment lifecycle. For example, SBOM generation via code scanning can result in an inflated SBOM, and more importantly, may not reflect the reality of what is being deployed in production. Another pain point is when generating SBOM via image scanning. It is more accurate but needs a complete integration in the CI/CD pipeline or relies on a one-time assessment and does not ensure full coverage resulting in blind spots. Finally, it requires maintenance when a new pipeline is built and also when the tools need to be upgraded.
A recent example that highlights the significance of SBOMs is the Log4j incident, where a seemingly innocuous library used by millions of developers had far-reaching implications for numerous applications. Another example is the SolarWinds supply chain attack, where a supposed legitimate update was infected by a trojan and gave access to 18,000 customers including US government agencies and private companies.
At Wiz, we are committed to continuously innovating to ensure the security of cloud infrastructures and workloads, from the initial design to their execution.
Today, we are thrilled to introduce the ability to create SBOMs in a simple automated, and agentless way. Wiz customers can now effortlessly access crucial information about packages, open-source libraries, and their versions, providing them with instant visibility.
Leveraging Wiz's agentless visibility, customers gain comprehensive insights into their entire cloud environment or a selected application owned by a specific business unit. This includes applications deployed in containers, container images, virtual machines, or serverless environments. Agentless visibility ensures SBOMs always reflect the current state, according to the last scan, without the need to maintain or rely on agents or open-source tools. With a simple click on a resource within the Wiz UI, users can download an SBOM report containing detailed information about packages, open-source libraries, nested dependencies in Java, NodeJS, Python, Go, etc, and their versions, which can then be exported in standard formats, such as SPDX or CycloneDX. Another available option is to export SBOM reports to an S3 bucket to centralize them.
Understanding the composition of your applications' ingredients partially answers the question: "Where am I at risk?" By leveraging the automatically generated SBOM, Wiz provides a vulnerability management system that is continuously updated after each scan. Wiz also analyzes all layers of the cloud infrastructure and workloads themselves, to calculate potential attack vectors, including external exposure, elevated privileges, and access to sensitive data, among others.
Combining automatically generated SBOM, vulnerability management, and complete cloud visibility with context, helps Wiz customers secure their environments, from supply chain to execution, and prioritize risks accordingly.
In short, Wiz’s agentless SBOM allows you to:
Gain complete visibility of your applications’ components, including packages, open-source libraries, and nested dependencies, without blind spots and deploying an agent.
Keep an always up-to-date SBOM that reflects what is running in production without the need to maintain a dedicated flow.
Export SBOM reports in standard formats and centralizes them in S3 buckets for further analysis or sharing.
This is only the beginning of Wiz's capabilities in the realm of supply chain security. Stay tuned for more exciting developments. In the meantime, to learn more about Wiz, please visit our Wiz docs (login required). If you prefer a live demo, our team would be delighted to connect with you.
