SBOM based discovery

Overview

SBOM stands for Software Bill Of Materials. SBOM-based discovery mode in twigs allows you to ingest assets specified in SBOM artifact to ThreatWorx. Currently supported SBOM standards and formats are as follows:

  • CycloneDX – JSON
  • SPDX, SPDX Lite – tagvalue
  • ThreatWorx (proprietary) – JSON, CSV

Pre-requisites

You need to have SBOM artifact. There are many ways to create an SBOM. For e.g. Github now allows you to create a CycloneDX for all code repositories. ThreatWorx also supports its own SBOM standard which is

Steps

The steps involved to discover assets from SBOM artifact are as below:

  • Open a new shell / terminal.
  • Check that twigs is installed and running properly by running below command:

twigs sbom -h

  • You can run the command as below:

twigs sbom [-h] --input INPUT [--standard {cyclonedx,spdx,threatworx}] [--format {json,tagvalue,csv}] [--assetid ASSETID] [--assetname ASSETNAME]

  • where INPUT is the path to the SBOM document
  • After discovery is complete, you can login into ThreatWorx console to view the newly discovery assets.

Depending on the type of SBOM, one or more assets may be created in the console. These will be tracked for new and updated vulnerabilities and threats continuously just like any other assets discovered using twigs. The SBOM artifact will be archived in the ThreatWorx console and will be available through the SBOM dashboard for audit. Uploading the SBOM is possible manually in the ThreatWorx console through the SBOM dashboard.

ThreatWorx SBOM

The ThreatWorx SBOM is designed to represent the typical enterprise attack surface in more detail than other SBOM standards. For e.g. a typical ThreatWorx SBOM for Windows endpoint will capture KBs or patch details in addition to the installed products and services. This allows for ThreatWorx to perform a more accurate assessment of the endpoint than possible with other SBOM standards.

Other unique findings included in the ThreatWorx SBOM are:

  • SCA / license information for open source components
  • CSPM, K8S, server and other misconfigurations
  • SAST, DAST, IaC code secrets
  • Multiple assets, (endpoints, cloud workloads etc.) included in one SBOM

These provide a more complete view of the attack surface than what is included in CycloneDX or SPDX.

How to generate a ThreatWorx SBOM

Any discovery using twigs can be converted to an SBOM using the common switch.

For e.g. an open source repository can be discovered as a ThreatWorx SBOM as follows:

twigs --sbom /path/to/my/sbom --repo <mygitrepo> --sast --secrets_scan