In an effort to secure the software supply chain, Black Duck SBOM export capabilities now comply with the NIST standards in Executive Order 14028.
A necessary step in securing an application is evaluating the supply chain of each component used to create the application, no matter how many hands were involved in its development. If any links in the supply chain are obscured, it can be difficult to confidently assess the amount of risk that an application is susceptible to. By building a software Bill of Materials (SBOM), a development organization provides the necessary information that enables the consumers of its software to understand the risk associated with a particular application, and react accordingly to security breaches and policy violations.
Meeting NIST standards with Black Duck SBOM export utility
Black Duck® is now making it easier for users to secure the software supply chain with an update to its SBOM export utility. The utility now exports Software Package Data Exchange (SPDX) 2.2, now ISO standard ISO/IEC 5962:2021, which populates the fields necessary to comply with NIST standards, as referenced in Executive Order 14028. This executive order is geared toward providing more transparency between the government and the private sector with respect to software security. One of the steps to achieving this transparency is requiring vendors to provide SBOMs to the purchasers of their products in a standard, machine-readable format. As defined by NIST, the SPDX format meets these needs.
