Industry’s first Enterprise SBOM Manager solution takes the uncertainty out of SBOM collection, monitoring, and compliance
Fulton, Md. – June 26, 2024 – Sonatype, the end-to-end software supply chain security platform, announced the general availability of Sonatype SBOM Manager, the industry’s first, and only, Enterprise-Class Software Bill of Materials (SBOM) Solution. SBOM Manager brings Sonatype’s best-in-class component scanning and comprehensive open source (OSS) data intelligence together with market-leading SBOM management support to provide development, security, and compliance teams with the tools they need to manage first and third party SBOMs.
Following a successful early adopter program, SBOM Manager has quickly been embraced by organizations in highly regulated industries such as financial services, banking, telecommunications, pharmaceutical, and semiconductor, transforming the way they manage SBOMs and their software supply chain security in the face of global regulations.
“We are at a watershed moment where the healthcare ecosystem is becoming increasingly interconnected. With medical devices, there are high risks of vulnerabilities because of different commercial, open source, and off-the-shelf software components being incorporated via third parties,” said Smit Patel, Associate Program Director, DiMe (Digital Medicine Society), a global non-profit and the professional home for digital medicine. "SBOMs are important and now part of overall FDA requirements for compliance especially in healthcare that has such a complex software supply chain. Products must be cyber secure and companies need to think about the regulatory strategy as part of their overall business strategy - allowing companies to continue to innovate."
Global Regulations Require Reliable SBOM Management at Scale
Sonatype SBOM Manager streamlines and automates the requesting, auditing, distributing, and monitoring of an organization’s first and third-party SBOMs. By creating a centralized repository for SBOMs, organizations can easily keep up with emerging software security regulations, including those from the US, EU, FDA and PCI.
United States Executive Order 14028 kicked off a number of SBOM-focused regulatory efforts in the US emphasizing the role of SBOMs in evaluating the security of software. Additionally, the US set criteria via NTIA’s Minimum Elements for SBOMs and NIST’s Secure Software Development Framework (SSDF), and the FDA made an SBOM Mandate for all medical devices. Globally, governments and industry bodies are following suit with their own rules. Notably, the EU's Digital Operational Resilience Act (DORA), Cyber Resilience Act (CRA), and Network and Information Systems Directive (NIS2), and the PCI 4.0 Security Standards, have deadlines for the implementation of SBOM-related security practices.
“The reality of financial ramifications, and in some cases criminal liability for non-compliance to current and new regulations, is driving organizations to adopt SBOMs at a rapid pace,” said Mitchell Johnson, Chief Product Development Officer at Sonatype. “SCA is not enough. To properly adhere to these regulations you need clear visibility into which components are impacted by a vulnerability and remediation tracking across all in-house and third-party applications with that component. This can amount to proactively managing upwards of thousands, if not millions, of SBOMs.”
SBOMs are a crucial first step in software supply chain management. Without SBOMs, it is nearly impossible and incredibly time-consuming to pinpoint and resolve critical vulnerabilities, like Log4j, and malware risks across all software versions and third-party tools. With a single source to manage your SBOMs, you can proactively identify affected software and quickly remediate issues with industry-leading data—not just fast, but smart.
“We have seen first-hand the incredible impact SBOM Manager has had not only on helping companies prepare for emerging regulations, but also to enhance their development productivity and security posture with continuous monitoring and protection throughout the life of an organization's full portfolio of applications,” added Johnson.
The industry’s only enterprise-grade SBOM solution provides a powerful, easy-to-use cloud based system of record. Customers have flexible deployment options allowing them to run anywhere via a SaaS, self-hosted, or Sonatype Air-Gapped Environment. With SBOM Manager you can expect:
Audit SBOMs:
-
Simplify compliance, identify critical risks, and guide vendor negotiations with third-party software audits through SBOM Manager’s smart and scalable database.
-
Search across all SBOMs to find particular components and vulnerabilities and report on application risk across every SBOM in your portfolio based on your organization’s policy.
Distribute SBOMs:
-
Meet regulation and compliance standards, and easily prove your software’s security status.
-
Embed automated Vulnerability Exploitability eXchange (VEX) information in your SBOMs to add contextual vulnerability information and note cases of non-exploitability.
-
Create rules to scale and automate the VEX publication process and Export SBOMs in a variety of industry-standard SBOM formats.
Continuously Monitor SBOMs:
-
Automatically monitor first-party and third-party SBOMs for new security vulnerability and malware risks, powered by Sonatype’s industry-leading component intelligence.
-
Ingest SBOMs from your release pipeline and monitor current and past software versions for vulnerabilities, enabling version control for SBOMs to show how the software has changed over time.
-
Search across your applications when new zero-days arise so you can keep your customers informed.
To learn more, visit www.sonatype.com/products/sonatype-sbom-manager.
About Sonatype
Sonatype is the software supply chain security company. We provide the world’s best end-to-end software supply chain security solution, by combining the industry’s only proactive malicious OSS protection, leading dependency management, and enterprise-class SBOM management. This empowers enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world’s largest repository of Java open-source software, we are software pioneers with unmatched open source expertise. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximize efficiencies, and drive powerful software development. More than 2,000 organizations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimize their software supply chains. To learn more about Sonatype, please visit www.sonatype.com.