Flexera this week added an ability to manage software bills of materials (SBOMs) to its platform for tracking IT assets.
Alex Rybak, senior director of product management and head of the open source program office (OSPO) at Revenera, a division of Flexera, said as more organizations require SBOMs from their software providers, organizations will need to be able to operationalize them within the context of a larger IT service management (ITSM) workflow.
The Flexera One IT Visibility platform can now ingest SBOMs created in either CycloneDX and SPDX formats or, alternatively, they can use the software composition analysis (SCA) tools provided by Flexera to generate an SBOM. That latter capability helps ensure that the SBOM identifying the components of an application is as current as possible in an era where software is being continuously updated.
That approach makes it possible to create a comprehensive list of all third-party components in an application, including commercial off-the-shelf (COTS) and open source software (OSS) components. Thatโs critical because when a new vulnerability is discovered, IT teams can use Flexera One IT Visibility to immediately identify any affected applications to reduce mean time to remediation (MTTR), noted Rybak.
In addition, IT teams can generate a security posture snapshot, including vulnerability disclosure reports (VDR) and vulnerability exploitability eXchange (VEX) reports.
Flexera One IT Visibility is based on a Technopedia database that the company maintains to track asset information such as timing of end-of-life support, compliance issues and known vulnerabilities across more than 18 million components.
In the wake of an executive order issued by the Biden administration, federal agencies in the U.S. are already required to collect SBOMs, and many enterprise IT organizations have begun to follow the lead of the federal government. At the same time, regulations that will require IT teams to collect SBOMs are being crafted around the world. The Flexera One IT Visibility platform now provides a means for IT organizations to get ahead of those requirements before they are required to collect SBOMs anyway, said Rybak.
It’s not immediately clear which teams will be involved in collecting and managing SBOMs. In some organizations, itโs clearly an IT or cybersecurity team mandate, but in some organizations, the procurement office is taking a leading role, noted Rybak. Regardless of which arm of an organization is responsible, there is a clear need to find ways to operationalize SBOMs alongside other existing IT assets, he added.
Ultimately, SBOMs will play a crucial role in enabling organizations to meld IT and security operations as part of their ongoing efforts to respond more adroitly to potential threats. After all, in the wake of the discovery of the zero-day Log4j vulnerability in 2022, some organizations are still looking for all the vulnerable instances of that logging software that might be exposed to the internet. The one thing that is certain is much of the time organizations now devote to discovering vulnerable instances of software components could be better spent by IT teams that are generally understaffed and overworked.
Image source: Photo by Christina @ wocintechchat.com on Unsplashย