Codenotary has released TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code. Until now, SBOM generation for serverless apps was nearly impossible.
With TrueSBOM, applications self-report their components so that the SBOM always remains up-to-date. That is really the only way to create an SBOM for serverless applications. Otherwise, SBOMs are created as a snapshot in time that shows the list of components when the application is created.
But, because serverless apps are created ‘on-the-fly’ each time they are invoked, the traditional way of creating SBOMs was useless – requiring the SBOM to be maintained every time. The patent-pending Codenotary technology changes all of that.
“The real-time update capability of our TrueSBOM technology makes it possible to generate an SBOM for serverless apps, which previously was almost impossible leaving organizations with a gaping security hole,” said Dennis Zimmer, co-founder and chief technology officer, Codenotary.
“Now, with TrueSBOM it’s possible to generate the list of ingredients that make up the application in real-time adding a new level of security to serverless applications.”, Zimmer continued.
The new TrueSBOM for Severless helps enterprises comply with the U.S. Executive Order on Improving the Nation’s Cybersecurity, which includes maintaining a Software Bill of Materials (SBOM), as well as the SLSA security framework to ensure trust in the software supply chain.
TrueSBOM guarantees that the SBOM for a serverless application is always a true reflection of its components – and that the SBOM is not just a text file that is stored separately from the application, but rather it’s part of the application itself that export on request its own SBOM or list of ingredients.
This is critical for modern applications like serverless that self-update, where relying on an external SBOM generation at build-time would not pick up the new updates.
In addition, TrueSBOM allows the enrichment of the SBOM with vulnerability scanner results or trust and integrity information. TrueSBOM keeps the list of contents in an app up-to-date at all times providing a level of security that was previously near impossible to attain.