5/22/2024

Our Role in Protobom, An Open Source Software Supply Chain Tool

Author: Cole Kennedy

Protobom Tool
On April 16, 2024, The Open Source Security Foundation (OpenSSF) issued a press release to announce the launch of Protobom, a new open source software supply chain tool. The launch was done in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) Science and Technology Directorate (S&T).
According to the press release:
“Protobom enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs) and file data, as well as translate this data across standard industry SBOM formats.”
The OpenSSF website describes Protobom as “a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss. It has an accompanying Go library generated from the protocol buffers definition that also implements ingesters for those formats.”
Protobom is available at GitHub.

Seven Startups (Including TestifySec) Developed Protobom

Melissa Oh, Managing Director at Silicon Valley Innovation Program (SVIP) notes in the press release that DHS tapped into the startup community to develop technology to strengthen the security of software supply chains.
CISA and SVIP collaborated to fund a cohort of seven startups to develop Protobom. We’re honored that TestifySec is one of the selected startups. Other companies in the cohort include AppCensus, Inc.Chainguard, Inc.Deepbits Technology, Inc.Manifest Cyber, Inc.Scribe Security, and Veramine, Inc..
Beth Pariseau, Senior News Writer at TechTarget covered the launch of Protobom in an article titled “DHS funding breathes fresh life into SBOMs.”

Protobomit Overview

As I noted to Pariseau in the article, DHS would like us to incorporate Protobom into our product. We’re working on an open source tool called Protobomit that manages SBOMs by adding in-toto attestations as external references.
Protobomit is an experimental tool developed by TestifySec, Lockheed Martin and NYU. The project aims to increase the integrity and accuracy of SBOMs. Depending on the results of our research and experimentation, aspects of Protobomit may make its way into our commercial JUDGE product.
Current features of Protobomit include:
  • Generate a new SBOM with associated attestations
  • Verify SBOM provenance
  • Add in-toto attestations as external references to SBOMs
  • Support for CycloneDX and SPDX SBOM formats

Our Involvement with CNCF, OpenSSF and SVIP

We’re actively involved with efforts of the Cloud Native Computing Foundation (CNCF). We employ maintainers and steering committee members from projects such as in-totoTUFWitnessArchivistaRepository Service for TUF, and SBOMit.
We also play a leadership role in the OpenSSF Security Toolbelt and actively participate in their Securing Software Repositories, DE&I Working Group and the SLSA specification.
The Silicon Valley Innovation Program (SVIP) is a multi-phase, multi-year effort. Stay tuned for future phases of this effort to be defined and announced. SVIP Demo Week 2024 takes place May 21-22, 2024 in Alexandria, Virginia:
“This two-day event will feature keynotes from the Department of Homeland Security (DHS) leadership, expert panel discussions on artificial intelligence (AI) and the EU Digital Markets Act impact on U.S. startups, and presentations and technology demonstrations from across SVIP’s startup partners.”
TestifySec will be at the event – we look forward to seeing you there!