Anchore Enterprise software SCM platform adds SBOM capabilities

Anchore has released the latest version of its software SCM (supply chain management) solution, Anchore Enterprise, adding SBOM (software bill of materials) monitoring as an integral part of the platform. 

The new release, Anchore Enterprise 4.0, adds new SBOM capabilities to identify upstream dependencies in source code repositories and monitor for SBOM drift that can indicate malware or compromised software. 

An SBOM refers to the list of components (both open-source and proprietary) used in a piece of software. 

“Anchore Enterprise 4.0 introduces a new capability that will alert users to changes in SBOMs in the build process so that they can be assessed for new risks or malicious activity,” says Rebecca Carter, senior product marketing manager at Anchore. “Of course, some change, or drift, between builds is to be expected, but large changes, especially towards the end of the build cycle, can be an indicator of malicious or at least suspicious activity that should be investigated.”

Anchore Enterprise uses vulnerability feeds and a vulnerability-matching algorithm to detect vulnerabilities. It also monitors for malware, cryptominers, secrets, misconfigurations, and other security issues.

The Anchore Enterprise 4.0 release promises an end-to-end approach by enabling customers to generate and analyze SBOMs across all steps in the development lifecycle in order to identify and remediate security risks, including vulnerabilities, malware, misconfigurations, and secrets.  The new version tracks open source dependencies, SBOM drifts, and application-specific changes. 

“SBOM generation is an emerging capability available in many software composition analysis (SCA) and software supply chain vendors,” says Sandy Carielli, an analyst at Forrester. “In addition, Anchore seems to be leveraging the SBOM data to perform ongoing risk assessment-the industry is moving in that direction, but Anchore is early.” 

The Anchore Enterprise 4.0 version has 4 key capabilities: 

• Tracking security profile of open source dependencies: The new feature extends the existing support for container scanning through CI/CD, registries, or Kubernetes (container deployment) to include scanning for direct as well as transitive dependencies in the source code repositories to identify open source vulnerabilities.
• Tracking SBOM drift to detect suspicious activity: This is a central capability in the new release which allows for tracking changes in the SBOMs in order to identify risks, malware, compromised software, or malicious activities.
•  End-to-End SBOM Management: The new version features a comprehensive SBOM management that includes an SBOM repository generated from each step of the development lifecycle.
• An application-level view of the software supply chain risk: The new version allows users to tag and group all of the artifacts associated with a particular application, release, or service, enabling identifying and reporting vulnerabilities and risks at an application level.

According to Carter, the new features are available via the Anchore UI and can also be managed from third-party applications through the software’s API.