The next is a list of distributors that provide instruments to assist safe software program provide chains, together with a short description of their choices.
Featured Supplier
HCL Software program: HCL AppScan empowers builders, DevOps, and safety groups with a collection of applied sciences to pinpoint utility vulnerabilities for fast remediation in each part of the software program improvement lifecycle. HCL AppScan SCA (Software program Composition Evaluation) detects open-source packages, variations, licenses, and vulnerabilities, and gives a listing of all of this information for complete reporting.
See additionally: Firms nonetheless must work on safety fundamentals to win within the provide chain safety combat
Different Suppliers
Anchore gives an enterprise model of its Syft open-source software program invoice of supplies (SBOM) mission, used to generate and monitor SBOMs throughout the event lifecycle. It can also repeatedly determine identified and new vulnerabilities and safety points.
Aqua Safety might help organizations shield all of the hyperlinks of their software program provide chains to keep up code integrity and decrease assault surfaces. With Aqua, prospects can safe the methods and processes used to construct and ship functions to manufacturing, whereas monitoring the safety posture of DevOps instruments to make sure that safety controls put in place haven’t been averted.
ArmorCode‘s Utility Safety Posture Administration (ASPM) Platform helps organizations unify visibility into their CI/CD posture and parts from all of their SBOMs, prioritize provide chain vulnerabilities based mostly on their affect within the surroundings, and discover out if vulnerability advisories actually have an effect on the system.
Distinction Safety: Distinction SCA focuses on actual threats from open-source safety dangers and vulnerabilities in third-party parts throughout runtime. Working at runtime successfully reduces the prevalence of false positives typically discovered with static SCA instruments and prioritizes the remediation of vulnerabilities that current precise dangers. The software program can flag software program provide chain dangers by figuring out potential cases of dependency confusion.
FOSSA gives an correct and exact report of all code dependencies as much as an infinite depth; and may generate an SBOM for any prior model of software program, not simply the present one. The platform makes use of a number of strategies — past simply analyzing manifest recordsdata — to provide an audit-grade element stock.
GitLab helps safe the end-to-end software program provide chain (together with supply, construct, dependencies, and launched artifacts), create a listing of software program used (software program invoice of supplies), and apply obligatory controls. GitLab might help monitor modifications, implement obligatory controls to guard what goes into manufacturing, and guarantee adherence to license compliance and regulatory frameworks.
Mend.io: Mend’s SCA mechanically generates an correct and deeply complete SBOM of all open supply dependencies to assist guarantee software program is safe and compliant. Mend SCA generates a name graph to find out if code reaches susceptible features, so builders can prioritize remediation based mostly on precise threat.
Revenera gives ongoing threat evaluation for license compliance points and safety threats. The answer can repeatedly assess threat throughout a portfolio of software program functions and the provision chain. SBOM Insights helps the aggregation, ingestion, and reconciliation of SBOM information from varied inner and exterior information sources, offering the wanted insights to handle authorized and safety threat, ship compliance artifacts, and safe the software program provide chain.
Snyk might help builders perceive and handle provide chain safety, from enabling safe design to monitoring dependencies to fixing vulnerabilities. Snyk gives the visibility, context, and management wanted to work alongside builders on lowering utility threat.
Sonatype can generate each CycloneDX and SPDX SBOM codecs, import them from third-party software program, and analyze them to pinpoint parts, vulnerabilities, malware, and coverage violations. Firms can show their software program’s safety standing simply with SBOM Supervisor, and share SBOMs and customised studies with prospects, regulators, and certification our bodies through the seller portal.
Synopsys creates SBOMs mechanically with Synopsys SCA. With the platform, customers can import third-party SBOMs and consider for element threat, and generate SPDX and CycloneDX SBOMs containing open supply, proprietary, and business dependencies.
Veracode Software program Composition Evaluation can repeatedly monitor software program and its ecosystem to automate discovering and remediating open-source vulnerabilities and license compliance threat. Veracode Container Safety can prevent exploits to containers earlier than runtime and supply actionable outcomes that assist builders remediate successfully.
Open Supply Options
CycloneDX: The OWASP Basis’s CycloneDX is a full-stack Invoice of Supplies (BOM) customary that gives superior provide chain capabilities for cyber threat discount. Strategic path of the specification is managed by the CycloneDX Core Working Group. CycloneDX can be backed by the Ecma Worldwide Technical Committee 54 (Software program & System Transparency).
SPDX is a Linux Basis open customary for sharing SBOMs and different essential AI, information, and safety references. It helps a variety of threat administration use circumstances and is a freely accessible worldwide open customary (ISO/IEC 5692:2021).
Syft is a strong and easy-to-use CLI instrument and library for producing SBOMs for container photographs and filesystems. It additionally helps CycloneDX/SPDX and JSON format. Syft could be put in and run straight on the developer machine to generate SBOMs in opposition to software program being developed domestically or could be pointed at a filesystem.
