Thursday, 9 July 2015
BOMTOTAL.com - Check your Bill of Materials
Bomtotal.com is an initiative created by Codenomicon to provide visibility into the bill of materials of an application. By uploading an executable file to bomtotal.com, you will be provided with a list of components inside your executable. This will also show you not just the third party components but also the versions associated with the components.
How to use it?
Simply go to www.bomtotal.com and upload any binary file to the site
Once uploaded, you will be shown the version of the application, the third party components used and the versions associated with it.
Why do you need the BOM?
In early December 2014, representatives from the US introduced H.R. 5793, the "Cyber Supply Chain Management and Transparency Act of 2014." The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.
Which means, that the the "Cyber Supply Chain Management and Transparency Act of 2014" requires any Hardware/Software/Firmware sold to any agency must come with the Bill of Materials and vendors must prove that their HW/SW/FW must not use known vulnerable components or at least a less vulnerable version.
The Act. Source: https://www.govtrack.us/congress/bills/113/hr5793/text
Wait a minute! BOM and Vulnerable components?
By default, bomtotal.com do not provide the information whether or not the version of the components used are vulnerable. However, while Codenomicon's Appcheck is solely designed for this (and much much more visibility/reports/formats/interface), we can find out whether or not the components are vulnerable based on the version information manually.
Taking example of the Citrix application that we have uploaded to Bomtotal.com, we can see that there are 2 components used. One is an OpenSSL with the version 0.9.8.
Knowing the version, visit www.cvedetails.com and search for the version of the component
Select the appropriate link
And tadaaaa, you can see all the vulnerabilities associated to the component.
How this helps Organizations?
Having visibility to the BOM is one thing, knowing the vulnerabilities associated with the components is another. As stakeholders of the organization, one can have the transparency of the software composition during initial stages of procurement of software. Also, this will provide managers to understand the risks involved of an executable even before installing it to the corporate environment thereby making calculated decisions based on the risks involved.
Advantages for Bomtotal.com
It is designed as its name, to provide the Bill of Materials of an application. Nothing more than that. Codenomicon's Appcheck does provide the BOM and more with automatically providing all the versions as well as the vulnerabilities associated with them, visibility of licenses used in these components, remediation via instant simulation, report generation in multiple formats and many many more. While the manual way can be done, it is definitely time consuming if one were to upload GBs of data size and contain hundreds to thousands of third party components. Surely, automation definitely helps alot in this form of binary analysis through software composition analysis via Codenomicon's AppCheck.
Curious about the power of AppCheck? Check out the link to find more information about it.