SBOM Escrow
Problem Statement
Cybersecurity vulnerabilities in core software components such as Log4j underscore the need for greater cyber supply chain security. However, while software customers want to understand the vulnerabilities within their own supply chain, vendors are often reluctant to disclose Software Bills of Material (SBOMs) due to the business necessity of safeguarding the proprietary information in commercial software.
Solution
SBOM Escrow is a trusted third party that provides selective disclosure and validation of SBOM data. This service strengthens the cyber supply chain through a platform that improves trust and transparency between software customers and vendors while also preserving vendor privacy
Platform Description
The application allows a software vendor to securely and selectively disclose vulnerabilities identified in its software to customers. To accomplish this, a software vendor uses our platform to upload their source code. We use the uploaded source code to craft an SBOM which we securely store for future reference, discarding the code itself. We then regularly compare the SBOM data against the latest Common Vulnerabilities and Exposures (CVE) data to determine whether any SBOM component contains an existing CVE. If the application finds a CVE within the software, it will reveal the corresponding SBOM component to verified clients based upon a mutually agreed Common Vulnerability Scoring System (CVSS) score.
When SBOM Escrow notifies a customer of a vulnerability, they see the:
- Relevant SBOM components
- Associated CVE and its CVSS score
- Vulnerability mitigation steps
- Vendor remediation status
- Vendor SBOM point of contact
- Blockchain smart contract hash for auditing
These steps provide the customer with enough information to mitigate vulnerabilities that exist in vendor SBOMs and improves vendor responsiveness to customer security concerns, especially in the case of vulnerabilities without a published software patch. To further protect vendor privacy concerns, the application retains no source code data and will eventually offer an on-premise scanning agent to software vendors that want an alternative method of SBOM validation.
Platform Architecture
Funding
SBOM Escrow was funded through a grant awarded by the Center for Long Term Cybersecurity at the University of California, Berkeley.
Acknowledgements
The SBOM Escrow team is grateful to Ryan Liu and Dr. Sekhar Sarukkai for their dedicated support of this project. Their mentorship guided this platform from concept to reality. We also thank the Center for Long Term Cybersecurity for their generous support, which enabled this platform’s creation.