CISA, DHS S&T, and OpenSSF launch Protobom project

On April 16, The Open Source Security Foundation (OpenSSF), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), announced the launch and availability of Protobom, a new and innovative open source software supply chain tool.

Protobom enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs) and file data, as well as translate this data across standard industry SBOM formats. The OpenSSF has further committed to facilitating the open source and collaborative development of Protobom while encouraging the growth of an open source contributor community.

Key to strengthening software security and software supply chain risk management, an SBOM is a nested, formatted inventory that lists the components making up software to include the supply chain relationships of various open source and commercial components used in building software. Understanding the supply chain of software, obtaining an SBOM and using it to analyze known vulnerabilities are crucial for managing cybersecurity risk. Currently, multiple SBOM data formats and identification schemes exist, which makes it challenging for organizations wanting to adopt SBOM usage. Protobom aims to mitigate this issue by offering a format-neutral data layer on top of the standards that lets applications work seamlessly with any kind of SBOM.

Protobom can be integrated into both commercial and open source applications, which will promote SBOM adoption, and make SBOM creation and consumption easier and cheaper. Protobom tooling can access, read and translate SBOMs in various data formats thus providing seamless interoperability. By integrating Protobom into applications that link SBOM information with external records of vulnerabilities and severity information from trusted sources, the applications can provide information on available patches and mitigations.

“To defend against the increasing number of software attacks, it’s critical to utilize innovative tools that create a more transparent software supply chain,” said Melissa Oh, Silicon Valley Innovation program managing director. “DHS is tapping into the startup community to develop technology that will shine a light on risks within supply chains and bolster the overall cybersecurity of organizations.”

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently,” said Allan Friedman, CISA senior advisor and strategist. “Protobom is a step towards greater efficiency and interoperability by translating across the widely used formats so that tools and organizations can focus on what’s important. It is a positive solution that helps shape a more transparent software-driven world.”

“Hosting Protobom marks a pivotal moment for OpenSSF and our work to secure open source software,” said Omkhar Arasaratnam, general manager of OpenSSF. “Protobom not only simplifies SBOM creation, but also empowers organizations to proactively manage the risk of their open source dependencies. The security of open source software requires partnership between the public sector, private sector and the community. The OpenSSF is proud to be a part of this mission.”

Source: OpenSSF

Your competitors read IC News each day. Shouldn’t you? Learn more about our subscription options, and keep up with every move in the IC contracting space.