Rezilion’s new Dynamic SBOM (software bill of materials) works with its devsecops platform and is designed to help security teams understand how software components are being executed in runtime. Credit: Veracode Aiming to help organizations manage security across the software development life cycle (SDLC), devsecops platform developer Rezilion is launching Dynamic SBOM (software bill of materials), an application designed to plug into an organization’s software environment to examine how multiple components are being executed in runtime, and reveal bugs and vulnerabilities.“Rapid digital transformation has created a situation where the software attack surface for any organization is constantly changing,” says Liran Tancman, co-founder and CEO of Rezillion. “We need to think of more holistic, fluid ways of managing software vulnerabilities. With the introduction of our Dynamic SBOM, this is Rezilion’s first step in a series of product announcements we are preparing later this summer to provide customers with exactly this kind of a solution.”How dynamic and static SBOMs differA static SBOM can be defined as a list of all the open-source and third-party components present in a software’s codebase. Also included in SBOMs are the versions of the components used, licenses governing those components, and their patch status. The purpose of SBOMs is to help security teams better assess risks associated with software components. Static SBOMs allow for a one-time analysis as opposed to a dynamic SBOM’s continuous/always-on design. A dynamic SBOM, in addition to listing the components present in a software environment, reveals those executed at runtime and details the many dependencies they have. “Unlike static SBOMs, a dynamic SBOM reveals if and how software components are being executed in runtime, providing organizations with a solution to understand not only where bugs exist — but also whether or not they could be exploited by attackers,” says Tancman.Additionally, Tancman adds, while a static SBOM traditionally yields an inventory of only one type of software component, Rezilion’s Dynamic SBOM sees all software components across development and production. SBOM maps software environmentRezilion’s SBOM is deployed as a plugin to the company’s existing devops tools and cloud infrastructure. Rezilion’s core technology then reverse-engineers and maps the client’s software environment, dynamically tracking the usage, provenance, behavior, and exposure of each component in detail, and then mapping this to runtime execution for improved attack surface visibility.Dynamic SBOM is a relatively new concept, building on the popularity of SBOMs in software supply chain security management. Tancman says that he is not aware of other dynamic SBOMs that are similar to Rezilion’s, though he acknowledges that companies including Anchore and Fossa also offer SBOMs.Anchore, for example, recently released Anchore Enterprise 4.0, designed to identify dependencies in source code repositories and monitor software development for SBOM “drift” that can include malware or compromised software. In addition, Deepfence has launched ThreatMapper 1.3.0, a new version of its open-source threat intelligence platform, which includes runtime SBOM monitoring.How Rezilion’s SBOM distinguishes itselfRezilion claims to differentiate its SBOM with a host of features including bug identification and resolution, vulnerability scanning, devopment to production cycle implementation and result-report solutions. Capabilities include:Dynamic inventory: Continuous tracking and management of the software environment as changes are being introduced;Full Stack, Full Cycle Coverage: Scans software components across development and production, on-premesis and cloud, hosts, containers, and IoT devices;Dynamic search: searches and pinpoints vulnerable components across files, hosts, containers, and applications;Exportable formats (premium version): sharing result with customers using a formal VEX (vulnerability exchange) or Cyclone DX document. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe