Anchore Extension Can Generate SBOMs for Container Apps

Anchore today added an extension to its software supply chain management platform for container-based applications that can automatically generate and continuously update a software bill of materials (SBOM).

Kim Weins, senior vice president of marketing at Anchore, says this extension to the Anchore Enterprise portfolio makes it possible to both identify upstream dependencies in source code repositories and monitor applications for drift that might be an indication of compromise.

Anchore Enterprise 4.0 also makes it possible to automatically generate and analyze SBOMs across the entire software development life cycle, says Weins. That capability is critical because it makes it possible for IT and security professionals to identify the software components being used within a cloud-native application environment, she adds.

Security risks—everything from vulnerabilities and malware to misconfigurations and secrets identified before applications are deployed to zero-day vulnerabilities that are discovered after deployment—become much simpler to remediate, notes Weins.

Anchore Enterprise 4.0 also extends exit scanning for dependencies capabilities to include source code repositories in addition to continuous integration/continuous delivery (CI/CD) platforms, registries and Kubernetes clusters. IT teams can generate SBOMs that include both direct and transitive dependencies from source code repositories to pinpoint vulnerabilities and enforce policy rules.

That level of integration makes it possible for Anchore Enterprise 4.0 to track drift as applications are updated, says Weins. Alerts for SBOM changes are then automatically generated based on the policy rules defined by IT and cybersecurity teams to more easily determine if an issue is being caused by developer error or actual malicious activity. IT teams can also tag and group all of the artifacts associated with a particular application, release or service.

While SBOMs have been around for decades, they have not been consistently implemented. In the wake of a series of high-profile security breaches, the Biden administration issued an executive order that, among other things, requires federal agencies to attach an SBOM to all the applications they use as part of an effort to make it simpler to remediate them in the event of a zero-day vulnerability. It’s now only a matter of time before most organizations implement a similar SBOM requirement, notes Weins.

In general, Weins says Anchore is pursuing an API-first approach to SBOMs to reduce the friction that often occurs between developers and the teams that are ultimately held responsible for application security. That approach will make it simpler for organizations to then embrace DevSecOps best practices, she adds.

Given the highly dynamic nature of applications built using containers, any approach to creating SBOMs will require a high degree of automation. Containers are not only frequently added to applications, but they are also frequently ripped and replaced. In some cases, those updates are minor. In other cases, components are added that were not previously present. Whenever a security issue emerges, it can be exceedingly difficult to determine what code is actually running at any given time and on what platform. The only way to really comply with an SBOM mandate is to find a way for the application itself to inform IT teams what code is running when and where.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1614 posts and counting. See all posts by Mike Vizard