The next is an inventory of distributors that provide instruments to assist safe software program provide chains, together with a short description of their choices.
Featured Supplier
HCL Software program: HCL AppScan empowers builders, DevOps, and safety groups with a collection of applied sciences to pinpoint software vulnerabilities for fast remediation in each part of the software program growth lifecycle. HCL AppScan SCA (Software program Composition Evaluation) detects open-source packages, variations, licenses, and vulnerabilities, and supplies a listing of all of this knowledge for complete reporting.
See additionally: Firms nonetheless must work on safety fundamentals to win within the provide chain safety combat
Different Suppliers
Anchore provides an enterprise model of its Syft open-source software program invoice of supplies (SBOM) undertaking, used to generate and monitor SBOMs throughout the event lifecycle. It can also constantly establish identified and new vulnerabilities and safety points.
Aqua Safety might help organizations defend all of the hyperlinks of their software program provide chains to keep up code integrity and decrease assault surfaces. With Aqua, clients can safe the techniques and processes used to construct and ship purposes to manufacturing, whereas monitoring the safety posture of DevOps instruments to make sure that safety controls put in place haven’t been averted.
ArmorCode‘s Utility Safety Posture Administration (ASPM) Platform helps organizations unify visibility into their CI/CD posture and elements from all of their SBOMs, prioritize provide chain vulnerabilities primarily based on their influence within the atmosphere, and discover out if vulnerability advisories actually have an effect on the system.
Distinction Safety: Distinction SCA focuses on actual threats from open-source safety dangers and vulnerabilities in third-party elements throughout runtime. Working at runtime successfully reduces the incidence of false positives usually discovered with static SCA instruments and prioritizes the remediation of vulnerabilities that current precise dangers. The software program can flag software program provide chain dangers by figuring out potential cases of dependency confusion.
FOSSA supplies an correct and exact report of all code dependencies as much as a vast depth; and may generate an SBOM for any prior model of software program, not simply the present one. The platform makes use of a number of strategies — past simply analyzing manifest recordsdata — to provide an audit-grade element stock.
GitLab helps safe the end-to-end software program provide chain (together with supply, construct, dependencies, and launched artifacts), create a listing of software program used (software program invoice of supplies), and apply mandatory controls. GitLab might help monitor modifications, implement mandatory controls to guard what goes into manufacturing, and guarantee adherence to license compliance and regulatory frameworks.
Mend.io: Mend’s SCA robotically generates an correct and deeply complete SBOM of all open supply dependencies to assist guarantee software program is safe and compliant. Mend SCA generates a name graph to find out if code reaches weak features, so builders can prioritize remediation primarily based on precise danger.
Revenera supplies ongoing danger evaluation for license compliance points and safety threats. The answer can constantly assess danger throughout a portfolio of software program purposes and the provision chain. SBOM Insights helps the aggregation, ingestion, and reconciliation of SBOM knowledge from varied inside and exterior knowledge sources, offering the wanted insights to handle authorized and safety danger, ship compliance artifacts, and safe the software program provide chain.
Snyk might help builders perceive and handle provide chain safety, from enabling safe design to monitoring dependencies to fixing vulnerabilities. Snyk supplies the visibility, context, and management wanted to work alongside builders on lowering software danger.
Sonatype can generate each CycloneDX and SPDX SBOM codecs, import them from third-party software program, and analyze them to pinpoint elements, vulnerabilities, malware, and coverage violations. Firms can show their software program’s safety standing simply with SBOM Supervisor, and share SBOMs and customised stories with clients, regulators, and certification our bodies through the seller portal.
Synopsys creates SBOMs robotically with Synopsys SCA. With the platform, customers can import third-party SBOMs and consider for element danger, and generate SPDX and CycloneDX SBOMs containing open supply, proprietary, and business dependencies.
Veracode Software program Composition Evaluation can constantly monitor software program and its ecosystem to automate discovering and remediating open-source vulnerabilities and license compliance danger. Veracode Container Safety can prevent exploits to containers earlier than runtime and supply actionable outcomes that assist builders remediate successfully.
Open Supply Options
CycloneDX: The OWASP Basis’s CycloneDX is a full-stack Invoice of Supplies (BOM) normal that gives superior provide chain capabilities for cyber danger discount. Strategic route of the specification is managed by the CycloneDX Core Working Group. CycloneDX can also be backed by the Ecma Worldwide Technical Committee 54 (Software program & System Transparency).
SPDX is a Linux Basis open normal for sharing SBOMs and different vital AI, knowledge, and safety references. It helps a spread of danger administration use instances and is a freely accessible worldwide open normal (ISO/IEC 5692:2021).
Syft is a strong and easy-to-use CLI software and library for producing SBOMs for container pictures and filesystems. It additionally helps CycloneDX/SPDX and JSON format. Syft could be put in and run immediately on the developer machine to generate SBOMs in opposition to software program being developed regionally or could be pointed at a filesystem.Â