Application development Cloud-Native Development Containers Features Latest News News Topics 

Chainguard Adds Automatic SBOM Generation Capability

, , ,
by Mike Vizard

Chainguard revealed today added an ability to automatically generate a software bill of materials (SBOM) for containers to its Enforce control plane created to secure cloud-native applications.

In addition, the company is adding a central console for filtering and searching for SBOMs and vulnerabilities across those environments. As a result, Enforce will automatically ingest SBOMs attached to container images in a way that can be searched because each SBOM is converted into a JSON format that is stored in database.

Finally, Chainguard is enabling daily vulnerability scans and report generation across cloud-native workloads along with a keyless signatures capability that can be managed privately.

Kim Lewandowski, chief product officer for Chainguard, said these extensions to Chainguard Enforce will make it simpler for organizations to comply with forthcoming requirements that will require application development teams to generate SBOMs. Chainguard Enforce supports both the SPDX and Cyclone DX SBOM schemas to make it easier for development teams to comply with any of those requirements.

A wave of legislation in the U.S. and Europe will soon require organizations to more deeply embrace DevOps best practices to address increased potential liability that might stem from a breach of an application. A proposed Cyber Resilience Act being negotiated between the member states of the European Union, for example, would require organizations that sell hardware platforms that connect to the internet to ensure that the devices their software runs on comply with best cybersecurity practices.

In the U.S., meanwhile, a National Cybersecurity Strategy proposal put forward by the Biden administration seeks to hold organizations that collect data or build software more accountable for breaches.

While both proposals are a long way from being officially enacted, they are indicative of a changing attitude. Governments around the world are concluding the only way to ensure better cybersecurity is to require it. Previous suggestions made by government agencies are going to soon give way to actual mandates. As such, savvy IT leaders would be well-advised to get ahead of this sea change by implementing the tools and processes that inevitably will be required.

The challenge, of course, is that most developers have limited cybersecurity expertise, so they keep making the same mistakes multiple times over. Many organizations are now embracing DevSecOps best practices that shift more responsibility for application security further left toward developers. The issue is first finding the right set of cybersecurity tools that surfaces vulnerabilities as code is being written and then determining what code is affected, where it is running and who wrote it in the first place, as they are likely to be the ones asked to create the requisite patch.

Of course, the more applications that are deployed, the more challenging it becomes to ensure the integrity of the portfolio being managed. In addition, with the rise of cloud-native applications based on containers, the application environments have become a lot more dynamic. Keeping track of what code is running at any given moment is more difficult than ever. SBOMs may not resolve all these issues, but they do provide a much-needed place to get started.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1729 posts and counting. See all posts by Mike Vizard