New Feature: Continuous Software Bill of Materials (SBOM)

What user pains exist?

Companies increasingly leverage third-party applications and packages to facilitate the design, building, and deployment of technology. This operational value comes with increased security risk, as third-party packages add new attack vectors and increase the risk of exploitable vulnerabilities. This new reality makes the accurate and timely analysis of third-party dependencies core to the security posture of an organization, but proper analysis is complex and hard to scale.

Software Bill of Materials (SBOM) records may be requested by your customers as evidence of your risk posture, and updated NIST guideline as well as recent Executive Orders have established SBOM artifacts as a recommended best practice and even as a requirement in some sectors.

Knowing what risks exist is hard

Each dependency added to an ecosystem introduces both its own vulnerabilities and those of its own third-party dependencies, creating a cascading tree of risks. As this number grows, understanding which risks exist and which ones leave your ecosystem exposed is complicated and time-consuming, made even more difficult by the fact that these risks change every minute. As a result, many organizations have insufficient monitoring of – and thus ineffective response to – dependency risk.

Just listing dependencies is not enough

Actively monitoring and keeping track of dependencies is hard enough, but in times of threat response additional information is necessary to take action. When a new vulnerability is published, often in the form of a Common Vulnerabilities and Exposures (CVE) report, the speed and effectiveness of your security team's response is critical. Understanding how to respond means knowing not only if the vulnerability exists, but exactly where and why.

What we built!

Arnica simplifies the process of analyzing third party risks and generating documentation for dependencies by providing continuous analysis of vulnerabilities and a dynamic inventory of your dependencies and risks. Arnica also provides exportable SBOM records for audit and customer requests.

Arnica’s approach to third-party risk is active and thorough, mapping your dependencies automatically each day and constructing an inventory that displays each dependency, all the assets that leverage them, and the active version of the third-party package. Most importantly Arnica checks for all CVEs associated with your dependencies and records each vulnerability, categorizing their risk from low to critical and providing patch versions as well as documentation on each vulnerability.

This inventory view is completely dynamic, allowing you to filter to the most critical vulnerabilities, and even search for a specific third-party dependency or known vulnerability to see exactly which of your assets are at risk. Additionally, Arnica presents the OpenSSF scorecard for each dependency to provide more context about the risk of each dependent library.

Exportable SBOM reports are available directly from Arnica and produce up to date SBOM records based on your most recent scan, including the dependencies of all integrated orgs.