The Open Source Security Foundation (OpenSSF) has recently announced SBOMit, a tool designed to bolster Software Bills of Materials (SBOMs) with in-toto attestations. This development, announced under the OpenSSF Security Tooling Working Group, aims to increase transparency and security in the software development process.
Software Bills of Materials (SBOMs) serve as an inventory of components within a software package. There are various methods of storing SBOMs and an option for additional verification through signatures. However, ensuring the integrity of the entire software development process remains challenging, as there is no guarantee that all the processes used to generate the software were properly executed to make the SBOM. SBOMit aims to provide a standardized, SBOM-format independent method for attesting components with added verification information.
In-toto, short for "integrity and transparency," is a framework designed to provide a verifiable and reproducible mechanism for establishing the integrity of software supply chains. In-toto attestations are a crucial component of this framework. An in-toto attestation is essentially a record or statement that provides evidence of the steps taken to ensure the integrity of a software supply chain. These attestations serve as a way to verify that each step in the software development and deployment process has been carried out securely and without tampering.
SBOMit works by incorporating in-toto attestations into a software build. The resultant SBOMit document references the original SBOM document and includes cryptographically signed metadata about each step in the software’s development and a policy outlining the necessary procedures.
Including in-toto attestations helps mitigate the risk of accidental errors and addresses issues such as humans overlooking essential steps in the development process. Moreover, it enhances security by making it harder for malicious activities to go undetected. SBOMit not only contributes to a more secure environment but also enables organizations to recover securely from compromises and promptly identify and prevent malicious activities.
Hosted under the OpenSSF Security Tooling Working Group, the SBOMit project is a collaborative effort within the industry to advance open-source security tools and best practices. Integrating in-toto attestations into SBOMs provides developers with increased assurance of the integrity and authenticity of their software components. The SBOMit specification is available on GitHub, and contributions are welcome.
The roadmap for SBOMit outlines three main thrusts for its development:
Tools and Community Strengthening:
- Emphasizes neutrality, support, and inclusivity.
- Milestones include building a diverse community, engaging stakeholders, advancing phases, and achieving sustainability.
- Evaluation focuses on diverse leadership and significant tooling provider engagement.
Expanding End-User Adoption:
- Aims for widespread adoption across sectors, collaborating with regulatory bodies.
- Milestones involve partnerships, early adopter collaboration, integration promotion, and sustainability through community-led enhancements.
- Evaluation measures success by adoption depth across sectors and securing leading adopters.
Aligning Stakeholders:
- Aims to address SBOMit inconsistencies through a clear specification.
- Milestones include drafting the specification, refining through collaboration, achieving international standardization, and transitioning to a self-sustaining model.
- Evaluation focuses on monitoring specification updates, proposal process efficiency, and maintaining low conformance issues.
The overarching goal is establishing SBOMit as a widely adopted, well-specified standard with a self-sustaining community, ensuring compatibility and security in the software supply chain.