Building secure software: Kontent.ai’s adoption of SBOM

Kontent.ai now supports Software Bill Of Materials, which can be easily obtained by customers. Let’s have a closer look at how we utilize SBOM to manage and mitigate risks, enhance cybersecurity, and build customer trust by increasing the transparency of our software.

Roman Oravec

Published on Nov 1, 2023

Third-party risk 

While the utilization of third-party software components in software development is advantageous in terms of reducing development time and cost, it also comes with a unique set of risks that need careful consideration and management.

The most significant risk associated with these components is security vulnerabilities, as they can contain hidden flaws or weaknesses that, if exploited by malicious actors, can lead to severe security breaches. Furthermore, third-party components come with their own set of licensing terms and conditions, adding another layer of complexity to their usage.

Securing the SDLC with SBOM

To mitigate risks, we have decided to utilize the Software Bill Of Materials (SBOM). It’s a comprehensive inventory of all the components and dependencies that make up our product. It includes information such as names, versions, licenses, hashes, and vulnerabilities of each component.

SBOM helps us identify and mitigate security risks, comply with licensing obligations, and track changes in our software supply chain. More specifically, we use the CycloneDX format developed by OWASP, which is an open standard that enables interoperability and integration with other tools and platforms. CycloneDX was designed with an emphasis on security use cases while being concise, accurate, and human-readable.

At Kontent.ai, SBOM files are continuously generated and scanned for known vulnerabilities as a part of our secure SDLC. This automated process provides us with great visibility into the third-party components we use and plays a vital role in enhancing cybersecurity by detecting vulnerabilities early. Thanks to the tight cooperation between the security and development teams, we can prevent vulnerable dependencies from making it into production.

Building trust and transparency

On top of enhancing our application security, utilizing SBOM also presents benefits in terms of relationships with our customers. Triaging the vulnerable dependencies also allows us to produce Vulnerability Exploitability eXchange (VEX) records.

VEX is a data model that provides detailed information about the exploitability of vulnerabilities in software components. It gives insights into the potential impact of a vulnerability, how easy it is to exploit, and what conditions must be met for successful exploitation. This allows for a more informed and prioritized response to identified vulnerabilities.

We are happy to announce that our existing customers can now obtain our SBOM and VEX on demand. You can use our API to integrate our SBOM and VEX data into your own dashboards, reports, or workflows. If you are interested in this feature, don’t hesitate to contact us at security@kontent.ai.

By sharing those pieces of information, we aim to increase the transparency of our product, as well as provide our customers with insight and assurance about the security of our software.

We expect to see SBOM and VEX become a part of compliance frameworks soon as a response to the severe supply chain hacks and the Executive Order 14028, "Improving the Nation's Cybersecurity," which directly talks about the need for utilizing SBOM.

As we move forward in an increasingly interconnected digital landscape, the use of SBOM will not only become more prevalent but also more crucial in ensuring software security and compliance. At Kontent.ai, we are proud to be at the forefront of this important shift, continually striving to provide our customers with the most secure, transparent, and trustworthy software solutions.

Subscribe to the Kontent.ai newsletter

Get the hottest updates while they’re fresh! For more industry insights, follow our LinkedIn profile.