Rezilion launches Dynamic SBOM for software supply chain devsecops
With the goal of helping organizations manage security during the lifecycle of software development (SDLC), the developer of the Rezilion devsecops platform launches Dynamic SBOM (list of software materials), an application designed to connect se in an organization’s software environment to examine how various components run at runtime and reveal bugs and vulnerabilities.
“Rapid digital transformation has created a situation where the attack surface of software for any organization is constantly changing,” says Liran Tancman, co-founder and CEO of Rezillion. “We need to think of more holistic and fluid ways to manage software vulnerabilities. With the introduction of our Dynamic SBOM, this is Rezilion’s first step in a series of product announcements that we’re preparing for late summer to offer to customers exactly that kind of solution. “
How dynamic and static SBOMs differ
A static SBOM can be defined as a list of all open source and third-party components present in a software code base. SBOMs also include versions of the components used, the licenses that govern those components, and their patch status. The goal of SBOMs is to help security teams better assess the risks associated with software components.
Static SBOMs allow for unique analysis rather than continuous / always-on design of a dynamic SBOM. A dynamic SBOM, in addition to listing the components present in a software environment, reveals the ones executed at runtime and details the many dependencies they have.
“Unlike static SBOMs, a dynamic SBOM reveals if and how software components run at runtime, providing organizations with a solution to understand not only where there are bugs, but also whether attackers can exploit them. or not, “says Tancman.
In addition, Tancman adds, while a static SBOM traditionally offers an inventory of a single type of software component, Rezilion’s Dynamic SBOM sees all software components in development and production.
SBOM mapping software environment
Rezilion’s SBOM is deployed as a connector to the company’s existing devops tools and cloud infrastructure. Rezilion’s core technology then performs reverse engineering and maps the customer’s software environment, dynamically tracking the use, provenance, behavior, and exposure of each component in detail, and then mapping -execution at runtime to improve the visibility of the attack surface.
Dynamic SBOM is a relatively new concept, which is based on the popularity of SBOMs in software supply chain security management. Tancman says he is unaware of other dynamic SBOMs that are similar to Rezilion, though he acknowledges that companies like Anchore and Fossa also offer SBOMs.
Anchore, for example, recently released Anchore Enterprise 4.0, designed to identify dependencies in source code repositories and monitor software development for SBOM “drift” that may include malware or compromised software.
In addition, Deepfence has released ThreatMapper 1.3.0, a new version of its open source threat intelligence platform, which includes runtime SBOM monitoring.
How the Rezilion SBOM is distinguished
Rezilion claims to differentiate its SBOM with a number of features that include error identification and resolution, vulnerability scanning, production cycle implementation, and results reporting solutions. Capabilities include:
- Dynamic Inventory: Continuous monitoring and management of the software environment as changes are made;
- Full Stack: Scans software development and production components, local and cloud, hosts, containers, and IoT devices;
- Dynamic Search: Finds and identifies vulnerable components between files, hosts, containers, and applications;
- Exportable formats (premium version): share the result with customers using a formal document VEX (vulnerability exchange) or Cyclone DX.
Copyright © 2022 IDG Communications, Inc.