SOOS recently announced the launch of its public software bill of materials (SBOM) database, a community resource that will transform open source software security and fortify the software supply chain. Now, for the first time ever, anyone can find and download an SPDX or CycloneDX SBOM for over 54 million packages, at no cost.
This brand new resource is publicly available for all to access on SOOS’ website.
SOOS was founded with the mission of making open-source security tools accessible and affordable to all developers. SOOS already produces the most efficient and affordable SCA tool on the market, but has doubled down on democratizing open-source security by generating SBOMs on an unprecedented scale.
SBOMs provide a critical accounting of all the components that make up an application. It’s a list of ingredients tied together with any known vulnerabilities, as well as an accounting of all licenses, within the code. Generating SBOMs is a critical step in securing the software supply chain, but due to the cost and inconvenience previously associated with generating SBOMs, too many organizations have failed to make this critical activity a part of their development lifecycle.
“Look across any industry, and there’s an expectation that the components of the product you buy (whether it’s milk from the local dairy or the airbag in your SUV) have been checked to ensure they are not going to harm you,” said Josh Jennings, SOOS’s founder and chief engineer. “But due to lack of affordable and easy-to-use tools, we traditionally haven’t held organizations accountable in this way when it comes to vetting open-source software.
“That has to change. It is far too dangerous to ignore the risks,” Jennings continued. “We realized the fastest way to create this change is to remove the barriers and make SBOMs public, for everyone to use.”
“Widespread adoption of SBOMs continues to be slow, despite the stakes. It’s been more than a year since Log4J, and yet progress has lagged in many areas,” said Katie Norton, senior research analyst, DevOps & DevSecOps at IDC. “This innovative public resource from SOOS helps make open-source security more accessible and can help organizations more effectively execute their SBOM strategy.”
“SOOS’s public SBOM repository is a game-changer, because it enables everyone to have full traceability for open-source components in their software,” said Keith Wiley, president of Medical Aegis, a full lifecycle cybersecurity risk management platform focused on smart medical devices. “By making this resource public, SOOS is really showing the depth of their commitment to the industry as a whole, and specifically all businesses that use custom software solutions.”
The launch of SOOS’s public SBOM database comes on the heels of the release of their Community Edition SCA tool, which provides free software composition analysis to any developer working on open-source projects.