SBOM & PCI 6.3.2

An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.

What is an SBOM?

An SBOM is a complete and accurate inventory of all software components, both open-source and commercial, incorporated into a software product or system. Think of it as a "nutrition label" for your software, listing every ingredient (libraries, APIs, modules, dependencies). Its primary purpose is to provide transparency into your software's composition, which is invaluable for security, licensing compliance, and overall software lifecycle management.

‍

Generating Your Software Inventory with Syft

To meet the requirement of generating this detailed inventory, open-source tools like Syft are invaluable. Syft is a powerful SBOM generation tool known for its ability to create a comprehensive list of components incorporated into your software.

While widely used for Docker and other OCI (Open Container Initiative) images, Syft's capabilities extend beyond containers. You can use Syft to generate an SBOM from:

• Filesystems: Analyze a local directory or mounted filesystem.

• Archives: Extract component information from various archive formats like .tar, .zip, .deb, and .rpm.

‍

This versatility makes Syft an excellent choice for inventorying components across diverse environments, from traditional servers to virtual machines and containerized applications.

‍

Installation:

You can easily install Syft using the following command (refer to the official GitHub instructions for more details): https://github.com/anchore/syft

Bash

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

‍

Output formats

syft <image> -o <format> [syft-json: Use this to get as much information out of Syft as possible!]

‍

Leveraging SBOMs for Proactive Security with Vulnerability Scanners

Once you have your SBOM, the real security power comes into play. By integrating your SBOM with open-source vulnerability scanners, you can proactively identify known weaknesses in your software components.

‍

Tools like Trivy and Grype are popular open-source security scanners that can consume and work with SBOMs. This blog post specifically showcases Trivy as an example. Trivy can generate SBOMs itself in formats like CycloneDX and SPDX (Software Package Data Exchange), both widely adopted standards for SBOMs that can include vulnerability information. This integration allows you to:

‍

• Automate Vulnerability Detection: Scan your software's components against known vulnerability databases.

• Prioritize Remediation: Understand which vulnerabilities affect your specific components.

• Maintain Compliance: Directly support your efforts in meeting PCI DSS 6.3.2 by continuously identifying and managing risks associated with your software inventory.

‍

By maintaining an up-to-date SBOM and regularly scanning it, organizations can significantly enhance their vulnerability management processes, moving from reactive patching to proactive security.

‍

Trivy: https://trivy.dev/v0.17.2/

Output:

Trivy sbom <outputfile.json>

‍

‍