Plus SBOM: assembly line BOM pbom

I believe you have a good understanding of the software bill of materials （SBOM） No stranger , It refers to all software components used to build software solutions （ Open source or commercial ） A list of . But in the software BOM , It does not include microservices and other components used to deploy software . For a more comprehensive understanding of the components used , We need to create an assembly line BOM PBOM（Pipeline Bill of Materials）, It contains all the software components and services used to bring the application from code to delivery .
​ 

Why? PBOM It is necessary to ？

Software security depends not only on the source code , It also depends on the integration of the entire software delivery pipeline . Such integration includes building tools 、 Image warehouse and IaC （Infrastructure as Code） Deploy . The number of libraries and components used by ordinary applications is growing , The data shows that the average usage of applications exceeds 500 Open source libraries and components , It's up from two years ago 77%.
​ 

Traditional software bill of materials can effectively prevent corresponding security problems by analyzing dependencies . But because of SBOM It does not include all components used in the whole development and deployment pipeline , There is a certain blind spot when viewing the components used in development . And this kind of blind area is likely to cause huge security risks , It also gives malicious attackers a chance to take advantage of . stay SolarWinds Incident ,TeamCity（CI/CD Build a service ） Used as an attack medium during the attack , and SBOM Did not provide key information to prevent such attacks .
​ 

To prevent build tools in the process 、 Possible threats and security risks caused by the image warehouse and other components , We need to know exactly all the components we are using , Including components in the software development pipeline . When creating an assembly line BOM , Remember to include SBOM All of , And add comprehensive information about the deployment pipeline .
​ 

PBOM What are the benefits ？

1. Improve visibility

PBOM Help achieve complete visibility of the deployment pipeline ,DevOps、 Safety and engineering teams can therefore create a more comprehensive list of assets . Keep references to all components in the pipeline , It can help each team better control the security in the process .
​ 

2. Prevent security threats through emergency plans

utilize PBOM It can help understand how all parts of the pipeline interact , And make corresponding business decisions and implement corresponding emergency plans according to security threats , To ensure software security . This can effectively improve threat modeling （Threat Modeling）, Allow the implementation of a zero trust architecture , And push DevOps “ Move left safely ” plan .
​ 

3. Improve problem solving efficiency

PBOM It can provide a more complete list of components , Including code owners , Submit the history and the related personnel of each part . Use PBOM It can provide accurate alerts according to the context , So as to avoid reminding team members indiscriminately when any problems occur . As the number of false positives decreases , The development and operation and maintenance teams see that the alarm is more accurate , The efficiency of solving problems is also higher .
​ 

PBOM What needs to be included ？

Through the above , We have made it clear that we can start from PBOM Information obtained in , To determine PBOM What to cover . It is worth noting that , establish PBOM Don't forget to SBOM All components already included in are included in this list . Besides , Organizations are creating PBOM Build and deploy tool information should be preserved .DevOps The team can take advantage of PBOM The information provided , Effectively mitigate security vulnerabilities and security risks in the software supply chain .
​ 
Developer 、 The code owner and the administrator with system access are SBOM The often overlooked part of , These accounts usually have higher access rights . In order to maximize security and comply with the principle of minimum privilege , Access control needs to be based on roles to some extent . Enterprises should first fully review the accounts that currently have system access , After the audit , These accounts can be used as a reference , Provide guidance for ensuring the security of user permissions in the later stage , And the corresponding developers 、 The scope of information that can be accessed by code owners and administrators with system access rights also needs to be summarized into PBOM in .