BlueVoyant has added Software Bill of Materials (SBOM) capabilities to its third-party cyber risk management solution. It will allow customers to now import SBOM data from software vendors. The solution is part of BlueVoyant’s partnership with Manifest.
Joel Molinoff, global head of Supply Chain Defence at BlueVoyant, said, “Organisations in the private and public sectors are realising that SBOM visibility is a crucial part of a proactive third-party cyber risk management programme.
“By enhancing BlueVoyant’s Supply Chain Defence with Manifest’s SBOM capabilities, our clients are expanding their risk visibility deeper into the software supply chain and ensuring continuous monitoring and remediation of critical threats.”
Why is BlueVoyant adding SBOM to its risk management tools?
According to the Open Source Software Risk Analysis (OSSRA) Report, 85% of applications contain at least one software vulnerability. That is likely to be an underestimate.
The growth in the usage of open source software has been significant over recent years. Developers use it to speed up the creation of corporate software and to reduce the costs of coding. After all, why reinvent the wheel when someone else has already done so.
The problem this creates is that few developers document where the code comes from in terms of the library, API or even just the open source project name and version. It results in unpatched vulnerabilities in the source code going undetected. BlueVoyant is removing that risk with this partnership with Manifest.
They can import the SBOM for the commercial software they use and the software they create. That can then be compared to known vulnerabilities. That will enable them to identify what needs patching and determine how urgent that patching is.
BlueVoyant lists four key benefits of using SBOM for third-party risk. They are:
- Vendor risk management: Automatically solicit SBOMs from vendors, see intuitive risk levels for vendor products, and incorporate them into comprehensive third-party cyber risk management
- Smarter vulnerability management: Prioritise vulnerabilities quickly, and triage issues to reduce false positives and avoid unnecessary mitigation work
- Open Source Software (OSS) risk management: Create an enterprise-wide inventory of OSS across first and third-party products, and scan OSS repositories to assess risk before implementing them.
- Simplified compliance: Easily demonstrate compliance and provide evidence for international regulations and standards such as R155, Executive Order 14028, Section 524B, the European Cyber Resilience Act, and the EU’s NIS2 and DORA.
Enterprise Times: What does this mean?
This is an overdue announcement from BlueVoyant. The lack of visibility of open-source code, APIs and other libraries and the risk it creates is well accepted. Other vendors with risk solutions, such as Qualys, already have solutions in this space. Manifest strengthens BlueVoyant’s portfolio, and this will be welcomed by customers.
This will also play well with BlueVoyant’s US government and large enterprise customers. US Executive Order 14028 requires vendors to submit SBOMs as part of any government contract. BlueVoyant’s customers can now take advantage of those SBOMs as part of their risk management programmes.
