on - edited on by
Sarah Wood
Open-source software is typically free to use, can be quickly and easily integrated into existing software, and is well tested and maintained. This makes using open-source components particularly attractive to developers, but does present some unique challenges, including:
- Security: Open-source components can introduce security vulnerabilities into software
- License compliance: Open-source components can have different licensing terms, which can be challenging to manage.
- Quality: the quality of open-source components can vary, so it is essential to choose components carefully
- Dependencies: Open-source components can depend on other open-source components, making tracking and managing the software supply chain difficult
Software Bills of Material, or SBOMs, are machine-readable inventories of the third-party components used in software products and the supply chain relationships between them. SBOMs deliver improved visibility, transparency, security, and integrity of proprietary and open-source code. They allow you to make risk-informed decisions and are becoming increasingly more popular amongst critical infrastructure after the NTIA declared a focus on software transparency back in 2018.
With their growing importance, SBOMs empower several use cases in modern organizations. Some of the most critical use cases include:
- Supply chain security, specifically surrounding vulnerability management
- Third-party supplier/vendor risk management
- Allowing DevOps teams to implement best practices through improving their build life cycles
SBOMs are also important for procurement teams, especially in the merger and acquisition process. Additionally, they are key when looking to stay in compliance, and critical to audits.
With ServiceNow, organizations can ingest SBOMs, assess the present risk, and respond to them, reducing the overall risk to the attack surface.
ServiceNow's SBOM solution improves transparency and provides a single source of truth for organization. Ingesting SBOMs through both automated push and or manual uploads gives you a credible database of all the open-source components in your environment. Once this data is ingested, you will have a comprehensive list of third-party components used across your organization.
Once all the open-source components used in your environment are identified, ServiceNow SBOM Workspace can assess the risks these components have, and display relevant information via dashboards to help you understand and prioritize the most important risks to address first. With our November release, Snyk is releasing a new Vulnerability Intelligence for SBOM integration, available in the ServiceNow store. Together, Snyk and ServiceNow deliver insights on vulnerabilities for open-source dependencies seamlessly into the ServiceNow workflow. This provides visibility into your development team's application security risk on both platforms. AppSec managers can create automated workflow processes to minimize risk.
Finally, our solution enables you to proactively manage your risk. We automate the vulnerability management process by continuously prioritizing the vulnerabilities that pose the highest risks to your organization. As the SBOMs are uploaded, risks are assessed, and findings are automatically created and routed to the application owners for triaging and providing the vulnerability disposition.
Check out our demo here: https://www.youtube.com/watch?v=baDQw2Uocks
