#SOOCon23: Open Source Tools can Automate SBOM Requirements

To evolve software supply chain security, organizations should start by using the tools the open source community offers, said Thomas Steenbergen, head of the open source program office (OSPO) at EPAM Systems, during the State of Open Con 23 conference. This includes when developing software bills of materials (SBOMs).

The first occurrence of an SBOM requirement was seen in US President Joe Biden’s May 2021 executive order on Improving the Nation’s Cybersecurity, published in response to the SolarWinds supply chain attacks in late 2020.

Open Source, The Way to Go for SBOMs

While it’s difficult to do this for the software provided by vendors, tools exist to produce automated SBOMs for open source software – representing 90% of modern software applications, according to Snyk. Steenbergen presented one of them, the Open Source Software Review Toolkit (ORT), during a State of Open Con session.

ORT is an open source software policy automation and orchestration toolkit that Steenbergen and other OSPO representatives started working on back in 2015. It offers scanning tools for software licenses and security (software vulnerabilities, patches…), provides best practices based on company standards and InnerSource, a software development strategy that applies open source practices to proprietary code and can be used to produce SBOMs.

Read the full article here.

Learn more about EPAM’s commitment to open source: https://www.epam.com/open-source

To stay ahead of the evolving battle against cyber-attacks, security must be architected into every facet of a business—building resilience from the ground up and building trust at the center of the modern, digital enterprise. Learn more: https://www.epam.com/services/cybersecurity