An SBOM (software bill of materials) can be a powerful tool in helping organizations manage regulatory compliance, software supply chain security, and open source license compliance. It’s also an essential part of doing business with government agencies and other security-minded customers.
But, given the complexity of modern application development, building an effective SBOM program is often easier said than done.
It requires integrating SBOM generation processes into software development workflows and gaining alignment across multiple teams and product lines as well as making a lot of big decisions: Which SBOM formats should you use? How should you host and distribute SBOMs? What tools are best for automation?
Girish Shivanna is the Principal Security Engineer for NGINX at F5, a global leader in application services and security. Girish provides guidance and subject matter expertise to F5’s NGINX engineering teams on a variety of security-related projects.
Girish’s extensive background in cybersecurity and secure software development made him a perfect fit to help lead F5’s SBOM program — and to identify and implement the best tool to automate SBOM creation and management.
In FOSSA, Girish and his colleagues found that ideal solution. FOSSA fits seamlessly into the team’s preferred development workflows and environments, and it saves significant engineering time on what would otherwise be manual tasks.
“It was easy to integrate FOSSA into our CI pipeline to generate SBOMs,” Girish said. “Whether we’re using the FOSSA dashboard or the CLI, we’re able to generate an SBOM. Plus, FOSSA automates everything that can be automated. That’s why we feel it’s a good tool for F5 to utilize.”
Girish Shivanna, Principal Security Engineer, F5
F5 provides solutions for zero trust security, fraud and abuse prevention, modern application delivery, web application and API protection, and more. It serves 85% of the Fortune 500, along with a range of government bodies.
Following the release of the U.S. government’s 2021 executive order on improving the nation’s cybersecurity, which required organizations that sell into the federal government to produce SBOMs, Girish and his colleagues set out to build a best-in-class SBOM program. In addition to fulfilling those regulatory compliance requirements, F5 wanted to make sure its SBOM program strengthened software supply chain security, improved open source vulnerability management initiatives, and satisfied customer requests.
The first steps involved a lot of research and internal conversations. Girish reached out to colleagues across the security and development teams to align on program priorities and logistics. As part of this process, the NGINX team at F5 also analyzed various SBOM standards and frameworks, ultimately deciding to use the SPDX specification (in the .JSON file format).
Once Girish and his colleagues had their SBOM program framework in place, they shifted their focus to finding the right SBOM tooling. After evaluating several options, F5 selected FOSSA.
“FOSSA’s willingness to work with F5, compared to other vendors, was a big factor, as was their turnaround in satisfying and implementing our requirements,” Girish said. “FOSSA’s SBOM service aligned well with our needs.”
The NGINX team at F5 uses FOSSA to automate multiple parts of generating and managing SBOMs.
Girish and his team schedule a nightly job in the main branch of their CI pipeline to generate SBOMs, and FOSSA automatically generates SBOMs for each release.
F5 then distributes SBOMs to customers on an as-needed/as-requested basis.
“We have scheduled jobs in the pipelines that generate the SBOM automatically on a nightly basis, so SBOMs are up to date,” Girish said. “And whenever a release happens, we generate the SBOM, which means every product has an attached SBOM. That way, we are utilizing FOSSA’s tool to generate everything.”
“FOSSA also provides the API and CLI to download the SBOM in an automated way, meaning we don’t have to go and manually do it. With FOSSA, we can also perform container scans and make sure our SBOMs reflect those results. All of that aligns with our pipeline, because we wanted to automate the SBOM generation in our pipeline.”
But generating SBOMs and keeping them up to date is just part of how the team at F5 manages software supply chain risk. They also leverage SBOM insights as part of software supply chain management activities throughout the software development lifecycle.
“We monitor the FOSSA dashboards and take care of any issues, including security and license compliance, that are identified,” Girish said.
Although the concept of maintaining a digital asset inventory isn’t new, SBOMs have only gained widespread adoption in recent years. And, given the nature of its business and the priority it places on software supply chain management initiatives, F5 is further along in its SBOM journey than many companies.
Girish and his team have gained plenty of wisdom along the way, including several helpful pointers for organizations that are in the earlier stages of building an SBOM program.
“First, businesses need to know why they’re generating SBOMs,” Girish said. “What’s the need for their SBOM, and how can the SBOM be generated for your product and customers? Second, when you look at an SBOM, you need to look at the tools that can give you not just first-level dependencies, but also your transitive dependencies.”
“Additionally, since you don’t want to do it in a manual way, you need to make sure you’re automating as much as possible. Then, you’ll also want to decide how to store those generated SBOMs. Another consideration is what kind of SBOM specification you’ll want to use.”
Ultimately, although there are many important considerations for organizations building SBOM programs, Girish recommends businesses prioritize two in particular — and these are boxes that FOSSA checks for F5.
“You need to select a tool that’s easy to use,” Girish said. “But it’s not just that. You also need to see which vendor is willing to work closely with you to make sure your requirements are satisfied.”