Full Report
Enhance software security and supply chain risk management with Wiz's agentless scanning technology for effortless SBOM creation
Analysis Summary
This analysis focuses on the concepts and tools discussed in relation to software supply chain security, as the provided text is an announcement/article about a security solution (Wiz) leveraging Software Bill of Materials (SBOMs), rather than detailing a specific malware or attack technique.
# Tool/Technique: Software Bill of Materials (SBOM)
## Overview
The Software Bill of Materials (SBOM) is a nested inventory or list of components, ingredients, libraries, tools, and processes that constitute a software artifact. Its purpose is to provide enterprises with comprehensive visibility into their software estates for security, compliance, and software supply chain risk management. The adoption of SBOMs is trending significantly, driven by regulatory requirements and major incidents like Log4j and SolarWinds.
## Technical Details
- Type: Concept/Security Artifact/Process
- Platform: Any platform hosting software components (Cloud workloads, containers, VMs, serverless)
- Capabilities: Inventory of software components, dependencies, and versions; prerequisite for government transactions; forms the basis for vulnerability management integration.
- First Seen: Contextually linked to historical events (e.g., Log4j, SolarWinds), but SBOM definitions formalized around 2021 (e.g., US Executive Order).
## MITRE ATT&CK Mapping
*Note: SBOM itself is a defensive/proactive security control, not an attack technique. However, the *lack* of an SBOM or failed exploitation of component vulnerabilities relates to these tactics.*
- **TA0036 - Supply Chain**
- **T1195 - Supply Chain Compromise**
- **T1195.002 - Compromise Software Supply Chain** (SBOM helps identify components vulnerable to this)
## Functionality
### Core Capabilities
- Provides a complete inventory of applications, including underlying packages and open-source libraries.
- Essential for understanding dependencies (e.g., in Java, NodeJS, Python, Go).
- Can be generated via code scanning (risks inflation) or image scanning (more accurate but requires integration).
- Supports standard export formats (SPDX, CycloneDX).
### Advanced Features
- **Agentless Generation:** Ability to generate SBOMs without deploying agents in the target environment.
- **Dynamic Reflection:** SBOMs can reflect the current state of what is deployed in production after each scan, ensuring up-to-dateness.
- **Integration with Vulnerability Management:** Automatically links component inventory to identify potential attack vectors (external exposure, elevated privileges, sensitive data access).
## Indicators of Compromise
- File Hashes: N/A (SBOMs are reports/metadata)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A (Focus is on pre-execution visibility)
## Associated Threat Actors
- N/A (SBOM is a defensive mechanism required to counter actors like likely **UNC2452/Nobelium** related to SolarWinds).
## Detection Methods
- **Signature-based detection:** N/A
- **Behavioral detection:** N/A
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Prevention measures:** Mandating and standardizing SBOM generation across the software development lifecycle (SDLC). Utilizing tools that provide agentless, continuous visibility to maintain accurate SBOMs.
- **Hardening recommendations:** Integrating SBOM analysis into CI/CD pipelines to prevent vulnerable or unauthorized components from being deployed. Exporting SBOMs to secure storage (e.g., S3) for centralization and analysis.
## Related Tools/Techniques
- **Log4j (Log4Shell):** Classic example of a risk mitigated by effective SBOM utilization.
- **SolarWinds Attack:** Highlighted the danger of compromised build processes necessitating supply chain visibility tools like SBOM generation.
- **Wiz (Platform):** The described agentless technology for generating and maintaining these SBOMs.