CISA, DHS S&T and OpenSSF Announce Global Launch of Software Supply Chain Open Source Project
The LF AI & Data Foundation | 17 April 2024
Protobom project allows for easy creation and translation of Software Bill of Materials (SBOMs)
SEATTLE, Washington – APRIL 16, 2024 – The Open Source Security Foundation (OpenSSF), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), today announced the launch and availability of Protobom, a new and innovative open source software supply chain tool. Protobom enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs) and file data, as well as translate this data across standard industry SBOM formats. The OpenSSF has further committed to facilitating the open source and collaborative development of Protobom while encouraging the growth of an open source contributor community.
Key to strengthening software security and software supply chain risk management, an SBOM is a nested, formatted inventory that lists the components making up software to include the supply chain relationships of various open source and commercial components used in building software. Understanding the supply chain of software, obtaining an SBOM and using it to analyze known vulnerabilities are crucial for managing cybersecurity risk. Currently, multiple SBOM data formats and identification schemes exist, which makes it challenging for organizations wanting to adopt SBOM usage. Protobom aims to mitigate this issue by offering a format-neutral data layer on top of the standards that lets applications work seamlessly with any kind of SBOM.
Protobom can be integrated into both commercial and open source applications, which will promote SBOM adoption, and make SBOM creation and consumption easier and cheaper. Protobom tooling can access, read and translate SBOMs in various data formats thus providing seamless interoperability. By integrating Protobom into applications that link SBOM information with external records of vulnerabilities and severity information from trusted sources, the applications can provide information on available patches and mitigations.
“To defend against the increasing number of software attacks, it’s critical to utilize innovative tools that create a more transparent software supply chain,” said Melissa Oh, Silicon Valley Innovation program managing Director. “DHS is tapping into the startup community to develop technology that will shine a light on risks within supply chains and bolster the overall cybersecurity of organizations.”
“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently,” said Allan Friedman, CISA senior advisor and strategist. “Protobom is a step towards greater efficiency and interoperability by translating across the widely used formats so that tools and organizations can focus on what’s important. It is a positive solution that helps shape a more transparent software-driven world.”
"Hosting Protobom marks a pivotal moment for OpenSSF and our work to secure open source software," said Omkhar Arasaratnam, general manager of OpenSSF. "Protobom not only simplifies SBOM creation, but also empowers organizations to proactively manage the risk of their open source dependencies. The security of open source software requires partnership between the public sector, private sector and the community. The OpenSSF is proud to be a part of this mission."
To energize the market and encourage adoption of SBOMs, CISA and DHS S&T’s SVIP collaborated and funded a cohort of seven startups to develop Protobom. This cohort included AppCensus, Inc., Chainguard, Inc., Deepbits Technology, Inc., Manifest Cyber, Inc., Scribe Security, TestifySec, and Veramine, Inc.
CISA, DHS S&T and the OpenSSF look forward to the continued partnership and collaboration on critical initiatives to improve the security of the open source software ecosystem. The Protobom project is a free resource for the continued evolution of software supply chain visibility and security. To learn more about Protobom, including how to support and contribute to the project, please visit the Protobom website and GitHub.
###
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, please visit us at openssf.org.
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day. Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.
Jennifer Tanner
Look Left Marketing
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.