Exploring Software Bills Of Materials
Most software projects rely on numerous open-source and commercial products, which have their own dependencies, which in turn have their own dependencies, and so forth. It is difficult to know precisely which sub-dependencies are present in an application. When a product or package is found to have a vulnerability, security teams not only have to prevent its exploitation but are also confronted with the difficult job of sorting out which applications rely on the vulnerable package and possess this vulnerability.
Software Bills of Material, or SBOMs, are an industry and government answer to this challenge. An SBOM is a "formal record containing the details and supply chain relationships of various components used in building software” as well as any relevant vulnerabilities (quoted from Executive Order on Improving the Nation’s Cybersecurity, E.O. 14028, May 12, 2021).
A team of students will work with Duke’s Information Technology Security Office (ITSO) to explore the most active open-source projects in the SBOM and supply chain security space and develop a user-friendly interface to make it easy for development teams at Duke to gather and share this information.
Student Project Managers/Facilitators