Alex - stock.adobe.com

Amid supply chain attacks, emerging vendor rethinks SBOM

Early adopters such as Swisscom have used startup Codenotary’s notarization system to establish and track the provenance of software artifacts in pipelines and production.

A small vendor’s SBOM management tool has turned heads at big companies as software supply chain attacks increase in number and severity.

Codenotary, founded in 2018, occupies a growing niche at the frontier of Software Bill of Materials (SBOM) use, which addresses how to store, track, analyze and use SBOM in addition to generating them. Codenotary has raised $24 million in series A and B funding so far, and its website lists Motorola, Morgan Stanley and Siemens among its customers.

Codenotary isn’t alone in tackling this problem. Other vendors such as Anchore, Chainguard, Endor Labs, Rezilion and Scribe also offer SBOM management features. But while many tools that attest to the provenance of software components within a supply chain use digital certificates to sign code, Codenotary’s founders are critical of that approach. The company’s Trustcenter product uses a blockchain ledger-based notarization system instead.

“Most software publishers … obtain one or two certificates and sign all their products, across all geographic [regions], across all platforms,” read a Codenotary company blog post. “The result is less than a handful of certificates for dozens, if not hundreds, of digital assets.”

Moshe Bar, co-founder and CEO, CodenotaryMoshe Bar

Codenotary claims its approach can make for more granular signing, generating signatures for each version, regional deployment, and customer environment or platform as well as more granular signature revocation than digital certificates.

“Our largest customer has 4 billion artifacts -- 25,000 developers doing 40,000 builds per day with an average of 2,500 artifacts per build,” said CEO and co-founder Moshe Bar in an interview. “Every one of them is signed, authenticated and tracked in an immutable database.”

Swisscom DevSecOps made early use of SBOM management

Codenotary’s immutable database and ledger for notarizations persuaded a DevSecOps team at telecom Swisscom to test Codenotary’s software more than two years ago, said Mirco Leimgruber, former DevOps engineer at Swisscom from 2015 until March 2023 and co-founder and CTO at Essentx AG.

“It's way easier to handle multiple signers,” he said. “And you can set a policy that the CISO has to sign [an artifact] or that you can use it in production only if the CISO has set the trust level high enough.”

It helped us force everyone to use [an approved] process and to do it in an automated manner, because there’s no way to do [notarization] manually.
Mirco LeimgruberFormer DevOps engineer, SwissCom; Co-founder and CTO, Essentx AG

Trustcenter’s database, based on an open source project Codenotary created named Immudb, was also a selling point for Swisscom, Leimgruber said.

“You can have all your [decisions] and definitions land in the ledger … and that gives you an unchangeable history,” he said. “Therefore you know why you did what in the past and can explain in case of an issue.”

The database can be used for forensic analysis of SBOM data or to locate vulnerable components, such as Log4j. Leimgruber said his team at Swisscom did this after it deployed Trustcenter Enterprise in production about 18 months ago.

Trustcenter performs runtime scans of software components post-deployment and generates alerts when high-risk untrusted components appear. Trustcenter can ingest third-party SBOMs using CycloneDX or Software Package Data Exchange standard specifications, along with data and events from security log monitoring tools such as Elastic, Splunk and Microsoft Sentinel.

TrueSBOM, another component of Codenotary’s software suite rolled out in November 2022, can scan existing software and generate an SBOM for it, including serverless functions and WebAssembly apps. Trustcenter can detect which software components are loaded by apps at runtime and notify DevOps teams if unauthorized or undocumented artifacts are used.

“It helped us force everyone to use [an approved] process and to do it in an automated manner, because there’s no way to do [notarization] manually,” Leimgruber said. “If someone pushed something which was not notarized, it pops up an alert, and we could ask, ‘Hey, why have you added this project without going through the process of integrating it into a CI/CD pipeline?’”

An April Trustcenter update added support for vulnerability data and a feature that generates exploitability scores on artifacts via the Vulnerability Exploitability Exchange standard. This week, Codenotary launched a free preview of SBOMcenter, a centralized store for sharing SBOM data.

Defeating supply chain attacks requires more than tools

As Codenotary and competitors tout software supply chain security tools, a fresh wave of paranoia about supply chain security hit the industry this week with an update about a breach at unified communications vendor 3CX -- now the first known supply chain attack based on another supply chain attack. This followed a similar high-profile supply chain breach at password management company LastPass in February. Meanwhile, vulnerabilities introduced by a supply chain attack on SolarWinds and the Log4j vulnerability remain actively exploited in the wild.

Recent market research shows that supply chain attacks are increasing beyond a few high-profile vulnerabilities and incidents. An overwhelming majority -- 88% -- of 1,500 CISOs, application security managers and developers surveyed last year by application security vendor Checkmarx reported at least one breach in the last 12 months as a direct result of a vulnerable application they developed. Forty-one percent of application security managers also reported that open source software supply chain attacks were the cause of these breaches.

A forthcoming IDC DevSecOps survey also found a general increase in supply chain attacks among respondents.

Katie Norton, IDCKatie Norton

“Significantly more organizations indicated they experience a security breach in 2023 (by 21.1 percentage points),” said IDC analyst Katie Norton in an email. “While security misconfigurations and sensitive data exposure were the top types, there were notable increases in software supply chain attacks (16.4 percentage points), using open source with known vulnerabilities (11.8%), and cross-site scripting (11.2%).”

Tools such as Codenotary join a host of vendors and open source projects that broadly address software supply chain security issues, Norton said, including open source projects such as Tekton Chains and products in development at Cisco. Another SBOM management competitor, RKVST, also uses blockchain to manage SBOM data.

But the use of SBOMs is at a nascent stage in the industry. For now, software supply chain security is a problem that requires a broad range of disparate tools to manage effectively, Norton said.

“For most organizations, supply chain security is a game of whack-a-mole,” Norton said. “The market of tooling supporting securing the software supply chain is still maturing. There are a lot of point solutions. We will eventually see consolidation like we have in DevOps and DevSecOps.”

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on DevOps