• United States



Shweta Sharma
Senior Writer

Rezilion launches Dynamic SBOM for software supply chain devsecops

May 17, 20223 mins

Rezilion’s new Dynamic SBOM (software bill of materials) works with its devsecops platform and is designed to help security teams understand how software components are being executed in runtime.

sucessfully transitioning to devsecops
Credit: Veracode

Aiming to help organizations manage security across the software development life cycle (SDLC), devsecops platform developer Rezilion is launching Dynamic SBOM (software bill of materials), an application designed to plug into an organization’s software environment to examine how multiple components are being executed in runtime, and reveal bugs and vulnerabilities.

“Rapid digital transformation has created a situation where the software attack surface for any organization is constantly changing,” says Liran Tancman, co-founder and CEO of Rezillion. “We need to think of more holistic, fluid ways of managing software vulnerabilities. With the introduction of our Dynamic SBOM, this is Rezilion’s first step in a series of product announcements we are preparing later this summer to provide customers with exactly this kind of a solution.”

How dynamic and static SBOMs differ

A static SBOM can be defined as a list of all the open-source and third-party components present in a software’s codebase. Also included in SBOMs are the versions of the components used, licenses governing those components, and their patch status. The purpose of SBOMs is to help security teams better assess risks associated with software components.

Static SBOMs allow for a one-time analysis as opposed to a dynamic SBOM’s continuous/always-on design. A dynamic SBOM, in addition to listing the components present in a software environment, reveals those executed at runtime and details the many dependencies they have.

“Unlike static SBOMs, a dynamic SBOM reveals if and how software components are being executed in runtime, providing organizations with a solution to understand not only where bugs exist — but also whether or not they could be exploited by attackers,” says Tancman.

Additionally, Tancman adds, while a static SBOM traditionally yields an inventory of only one type of software component, Rezilion’s Dynamic SBOM sees all software components across development and production.

SBOM maps software environment

Rezilion’s SBOM is deployed as a plugin to the company’s existing devops tools and cloud infrastructure. Rezilion’s core technology then reverse-engineers and maps the client’s software environment, dynamically tracking the usage, provenance, behavior, and exposure of each component in detail, and then mapping this to runtime execution for improved attack surface visibility.

Dynamic SBOM is a relatively new concept, building on the popularity of SBOMs in software supply chain security management. Tancman says that he is not aware of other dynamic SBOMs that are  similar to Rezilion’s, though he acknowledges that companies including Anchore and Fossa also offer SBOMs.

Anchore, for example, recently released Anchore Enterprise 4.0, designed to identify dependencies in source code repositories and monitor software development for SBOM “drift” that can include malware or compromised software. 

In addition, Deepfence has launched ThreatMapper 1.3.0, a new version of its open-source threat intelligence platform, which includes runtime SBOM monitoring.

How Rezilion’s SBOM distinguishes itself

Rezilion claims to differentiate its SBOM with a host of features including bug identification and resolution, vulnerability scanning, devopment to production cycle implementation and result-report solutions. Capabilities include:

  • Dynamic inventory: Continuous tracking and management of the software environment as changes are being introduced;
  • Full Stack, Full Cycle Coverage: Scans software components across development and production, on-premesis and cloud, hosts, containers, and IoT devices;
  • Dynamic search: searches and pinpoints vulnerable components across files, hosts, containers, and applications;
  • Exportable formats (premium version): sharing result with customers using a formal VEX (vulnerability exchange) or Cyclone DX document.