All-in-one Solution to Complex SBOM Management and Compliance Issues
A platform that easily manages software supply chain security from SBOM generation to verification and exchange has been launched.
In August 19th, Labrador Labs (CEOs: Jinseok Kim and Heejo Lee) released Labrador SCM, an automated software supply chain management platform.
Labrador Labs has automated a series of processes such as SBOM export, send, receive, and correcting and complementing modifications for all companies involved in the software supply chain with Labrador SCM.
Labrador Labs said that with the product launch, global manufacturing giants and medical device companies have begun to adopt Labrador SCM to respond to global SW supply chain regulations.
■ Global Software Supply Chain Regulations
Hackers have recently been on a cyberattack spree exploiting vulnerabilities in the SW supply chain. In 2020, the United States was hit by a cyberattack that exploited SW vulnerabilities in network management solution SolarWinds products installed in government offices.
Following this incident, the US issued Executive Order 14028 in 2021 to strengthen SW supply chain security. It mandated the submission of SBOMs for SW entering all public sector organizations. The U.S. Food and Drug Administration (FDA) recommended SBOMs for medical devices in 2024. This is a move to minimize cyber threats from SW supply chain vulnerabilities.
This move is not only in the US, but also in other countries such as Europe and Japan. Major industrial equipment manufacturers require SBOM management. In May 2024, the South Korean government released the SW Supply Chain Security Guidelines. The Korean government has established a management system for domestic companies to distribute and share SBOMs smoothly. In addition to strengthening cybersecurity, the government is also focusing on securing a system that allows domestic companies to respond quickly to global regulations.
The SW supply chain is a complex structure, making it difficult for companies to create and respond to SBOMs.
For example, a carmaker supplies infotainment SW from Company A and purchases vehicle-to-vehicle data transmission SW from Company B. The supply chain is complex. A car contains about 100 million lines of SW, which is a combination of code from many suppliers. Automakers must receive and maintain SBOMs from suppliers from the first to nth tier. Suppliers also need to track and share changing SBOMs with their suppliers.
Traditionally, companies create SBOMs and send them via email. In this process, SBOM information is exposed or confused the users by controlling the version information.
■ SBOM Generation and Management All-in-one
Labrador SCM solves SBOM creation and management difficulties among SW partners.
End manufacturers and suppliers exchange their respective standardized SBOMs through Labrador SCM. Companies simply upload their product-specific SBOMs to Labrador SCM, hit share, and the latest SBOMs are automatically delivered to their suppliers. This reduces the risk of confidentiality leaks and simplifies version control.
Labrador SCM connects manufacturers (hub companies) and SW suppliers.
The hub company can manage supplier SBOMs in Labrador SCM as a one-stop shop to increase SW security and respond to SBOM regulatory issues in each country.
Labrador SCM generates SBOMs using hash-encrypted data for source code privacy. SBOMs are checked for integrity and then exchanged securely.
Supports SBOM formats that are easy for users to understand, such as Cyclone-DX, SPDX, NIS-SBOM, and Excel. Easy to identify SW licenses and vulnerability issues and check results.
Labrador SCM can be provided with different licence scopes depending on the characteristics of the company in the SW supply chain.
Smaller SW suppliers (vendors) lack the manpower and resources to create and manage SBOMs. Labrador Labs also offers a Software Configuration Analysis (SCA) solution, a tool to de-risk open source vulnerabilities and licence compliance for suppliers.
Eighty per cent of commercial SW is open source, and products are vulnerable to hacking attacks not only due to licence violations, but also due to unpatched security vulnerabilities. If critical CVE vulnerabilities are not patched, regulatory approvals will be rejected. Using SCA not only increases SW transparency, but also security management.
Suppliers can check SW with SCA and create SBOMs and share them with manufacturers in Labrador SCM.
‘Labrador SCM is a groundbreaking service that not only proactively checks for vulnerabilities in the SW distribution process and complements them with secure SW, but also improves work inefficiencies caused by manual SBOM creation and exchange,’ said Jinseok Kim, CEO of Labrador Labs.
Original article : https://medium.com/@rogern_47413/labrador-labs-has-launched-automated-software-supply-chain-management-platform-labrador-scm-8dd50416645a