Software Supply Chain Transparency with Contrast


For years, Contrast has led the charge for software supply chain transparency via the generation of a software bill of materials (SBOM). We have done this in three ways:



A history of stewardship in Software Supply Chain Security for OWASP and leadership on the CycloneDX committee that defined the SBoM standard for the industry


Played a leadership role in entities like the National Institute of Standards and Technology (NIST) in the development of new standards around initiatives like the Presidential Executive Order on Cybersecurity


Provided in-product capabilities to generate SBoM output without requiring source code of purchased software (as outlined in President Biden’s Executive Order on Cybersecurity)



A History of Stewardship in Software Supply Chain Security


Contrast’s history with open-source security began with its founders conducting the first large-scale study of insecure open-source use. Later, they championed open-source security by influencing its addition to the OWASP Top 10. This created broad awareness of the problem, even before the occurrence of the well-publicized Equifax breach.


Currently, Contrast’s Co-founder Jeff Williams serves on the board for the OWASP’s CycloneDX SBoM standard that is designed for use in application security contexts and supply chain component analysis. It establishes an industry standard for what an SBoM should look like. 



Engagement with NIST and Beyond


For several years, Contrast has worked in concert with NIST on the development of application security standards. Most recently, Contrast has provided input to NIST on its implementation of The Presidential Executive Order on Cybersecurity. Specifically, the executive order directs NIST and the National Security Agency (NSA) to jointly publish guidelines covering the definition of critical software, software security testing, software labeling, and SBOM use. 


Contrast is an active participant in the NIST workshops process, and over the years has submitted six separate position papers on various issues. Contrast’s CTO and Co-founder Jeff Williams has spoken at a NIST workshop and briefed the NIST team on modern software security testing.


Throughout our engagement, Contrast has been both supportive and critical of various aspects of the NIST implementation efforts. Currently, having advocated for software labeling over a number of years, Contrast is actively working with NIST to help implement a software labeling program as specified in the executive order.



Providing In-product Capabilities to Generate SBoM Output 


Several years ago, Contrast launched a new team charged with analyzing third-party libraries with the full context of the application that uses them. As part of that process, Contrast built the industry’s first product to embed software composition analysis (SCA) into an application. Today, because of our runtime technology, Contrast is the only application security vendor capable of delivering SCA in real time without the inaccuracies that plague legacy SCA tools.


To do so, Contrast analyzes the entire assembled running application, including server and platform environments. This approach is far more accurate than analyzing a source-code repository for several reasons: 

  • A focus on the libraries that actually run 

  • Contextualization of library vulnerabilities in terms of how they are used by applications

  • Analysis of application server and platform libraries that are not in code repositories

  • Distillation of test libraries that do not pose any risk

The above is a groundbreaking improvement over “point-in-time” SCM repository scans. 


Finally and most importantly, Contrast enables customers to generate an SBoM directly in a way that meets the specifications of the OWASP’s CycloneDX SBoM standard and the recent Presidential Executive Order. Here, Contrast generates and exports a comprehensive SBoM in a standardized format through a simple application programming interface (API) call.



Figure 1:
Generating an SBoM report with Contrast





Figure 2: SBoM reporting, a UI view (application level)







Read this Blog Post to learn what President Biden's Executive Order means for Federal agencies and how the Contrast platform can help them prepare to meet forthcoming requirements.


It's High Time for a Security Scoring System for Applications and Open Source Libraries

A benchmarking system would help buyers choose more secure software products and, more importantly, light a fire underneath software producers to make products secure.


NIST Misses Opportunity With New 'Minimum Standard' for Software Security Testing

The agency's response to President Biden's executive order creates serious, unresolved questions across the required techniques.


Contrast OSS: Automated Open-source Security Software and Compliance

Open-source software (OSS) affords developers many freedoms to build feature-rich applications on aggressive timelines. However, reliance on OSS adds layers of complexity across an organization’s software supply chain.