Share these talks and lectures with your colleagues
Invite colleaguesResearch paper
Analysis of software bill of materials tools
Cyber Security: A Peer-Reviewed Journal,
6
(4),
334-355
(2023)
Abstract
Modern software development has gradually become more complex, leveraging available open-source software and third-party components. This practice has raised questions about the provenance, licensing, versioning and compliance of reused code and its dependencies. Furthermore, it is particularly important to review such code fragments and third-party components for known vulnerabilities before they are included in a software product. A Software Bill of Materials (SBoM) is a mechanism to achieve such an analysis, providing transparency and visibility into a software product to both the software developer and its respective consumer. SBoM lists information and details about all the elements constituting a piece of software and can, therefore, be used to evaluate associated security risk. While the concept of SBoM is growing in popularity, it is still fairly new to many organisations, causing them to potentially struggle with producing and processing SBoM and limiting their widespread adoption. In this work, we delve into the area of SBoM and present state-of-the-art SBoM tools, creating a framework for analysis and categorising them based on a diverse set of features and functionalities. We are the first to provide a detailed analysis of 83 open-source SBoM tools along with a perspective on how potential SBoM users can select a tool based on their specific requirements. Our work aims to help promote understanding of this domain, thereby encouraging and furthering its overall adoption. We additionally seek to pave a path for future work in this area by providing recommendations to tool developers and users, researchers and standardising organisations.
Keywords: software bill of materials (SBoM); software supply chain security; SBoM tools
The full article is available to subscribers to the journal.
Author's Biography
Arushi Arora is a highly motivated and dedicated PhD student of computer science at Purdue University. As a research assistant under the guidance of Dr Christina Garman, Arushi's work extends beyond academia to National & Homeland Security at Idaho National Laboratory. Arushi's research interests include the intersection of information security, anonymity networks and applied cryptography. Her passion for computer science is evident in her accomplishments, which include receiving the Chancellor's and Vice Chancellor's Gold Medal for academic excellence during her undergraduate studies at Indira Gandhi Delhi Technical University, India, and being awarded the Best Poster Presentation at NDSS’22. Arushi's expertise in the field is further demonstrated by her publications in renowned journals and conferences. She is dedicated to research and is committed to making a difference in the field of information security.
Christina Garman is an assistant professor in the Department of Computer Science at Purdue University. Her research interests focus largely on practical and applied cryptography, namely the design and analysis of real-world cryptographic systems. She aims to make it easier to design and securely deploy new and complex cryptographic systems while preventing insecurities from occurring in such systems. As part of this, her work thus far has been on both building and deploying secure cryptographic systems, as well as analysing existing systems. This includes past work on cryptographic automation and building ‘keyless CDNs’, as well as exploring the weaknesses of RC4 in TLS and discovering flaws in Apple’s iMessage, and her current work focusses on removing the ‘human element’ from the deployment and analysis of cryptographic systems through the use of cryptographic automation and the development of tools. She received an NSF CAREER Award in 2021 and her work has received a best paper award at ACM CCS and has been featured in numerous media, including The Washington Post, The New York Times, Wired and The Economist. She is also one of the co-founders of Zcash, a privacy preserving cryptocurrency based on her work on Zerocash. She received her MS and PhD in computer science from Johns Hopkins University in 2013 and 2017, respectively, and a BS in computer science engineering and a BA in mathematics, with a minor in physics, from Bucknell University in 2011.
