Skip to content
All posts

TrueSBOM for Serverless Applications

Codenotary released TrueSBOM for Serverless Apps which is an easy to integrate solution to create SBOM and track dependencies for your serverless functions running on AWS Lambda, Google Cloud Functions and Microsoft Azure.

Image by luis gomes

SBOM – what is it?

Why do you need SBOM (short for software bill of materials) in first place? There is prevalence of open source software and popular approach of building new software on top of existing open source components. Software providers and consumers must know which components are used, which are safe and which are vulnerable. Also what if your customers require you to provide SBOM for your code? Biden’s Executive Order and the following OMB 22-18 memo actually introduce the requirement that all US Federal Agencies and their contractors must consume SBOMs of all the software they are using. SBOMs are also necessary tools to comply with SLSA, SSDF and other software security frameworks.

What is TrueSBOM? It is an extension of SBOM that provides online observability of the dependencies of your application whether it is an image, a binary or an artifact stored in cloud registry. We have previously released blog post describing this innovation and I encourage you to go ahead and read it. To summarize with TrueSBOM you can modify the source code of your application with a one-liner. In result you automatically get up-to-date SBOM on-demand or on a regular basis.

Enter TrueSBOM for Serverless Apps

The newest innovation in software security is TrueSBOM for Serverless Apps. What is a serverless function? This is a compute service that lets you run code without provisioning or managing servers. Most cloud providers these days enable you to provision such code for your customers. Serverless apps are dynamically created, it’s not possible to generate SBOMs using traditional approaches. The TrueSBOM for Serverless Apps fills the gap and provides a tool for you to be always aware what are the components inside this code.

You can consume SBOMs from serverless function the same way as you do with other software SBOMs. One example: your organization prohibits use of a components because of a known vulnerability, let’s say leaking customer data to anyone listening to network traffic. You can consume SBOMs from serverless function the same way as you do with other software SBOMs. Then you will be aware of any vulnerability and you can take measures against it.

And the best part – it is all fully automatic after you set up the connection. Integrate TrueSBOM for Serverless Applications into functions written in the following languages: Java, Go, Python and Nodejs.

Read the full press release by