Anchore Enterprise Software’s SCM Platform Adds SBOM Capabilities

Anchore has released the latest version of its SCM (supply chain management) software solution, Anchore Enterprise, adding SBOM (software bill of materials) monitoring as an integral part of the platform.

The new release, Anchore Enterprise 4.0, adds new SBOM capabilities to identify upstream dependencies in source code repositories and monitor SBOM drift that may indicate malware or compromised software.

An SBOM refers to the list of components (both open source and proprietary) used in software.

“Anchore Enterprise 4.0 introduces a new feature that will alert users to changes to SBOMs in the build process so they can be evaluated for new risks or malicious activity,” said Rebecca Carter, senior product marketing manager at Anchore. “Of course, some changes, or drifts, between releases are to be expected, but significant changes, particularly towards the end of the build cycle, can be an indicator of malicious or at least suspicious activity that should be studied.”

Anchore Enterprise uses vulnerability feeds and a vulnerability matching algorithm to detect vulnerabilities. It also monitors for malware, cryptominers, secrets, misconfigurations, and other security issues.

The Anchore Enterprise 4.0 release promises an end-to-end approach by enabling customers to generate and analyze SBOMs at all stages of the development lifecycle to identify and remediate security risks including vulnerabilities, software malware, misconfigurations and secrets. The new version tracks open source dependencies, SBOM drifts, and application specific changes.

“SBOM generation is an emerging capability available from many software composition analysis (SCA) and software supply chain vendors,” said Sandy Carielli, analyst at Forrester. “Additionally, Anchore appears to be leveraging SBOM data to perform ongoing risk assessment – ​​the industry is moving in this direction, but Anchore is ahead.”

The Anchore Enterprise 4.0 release has 4 key features:

  • Open Source Dependency Security Profile Tracking: The new feature extends existing support for container scanning via CI/CD, registries, or Kubernetes (container deployment) to include direct and transitive dependency scanning in source code repositories to identify open source vulnerabilities.
  • SBOM Drift Tracking to Detect Suspicious Activity: This is a core feature of the new release that tracks SBOM changes to identify risk, malware, compromised software or activity. malicious.
  • End-to-end SBOM management: The new version offers complete SBOM management that includes an SBOM repository generated at each stage of the development cycle.
  • An application-level view of software supply chain risk: The new release allows users to tag and group all artifacts associated with a particular application, release, or service, enabling identification and report vulnerabilities and risks at the application level.

According to Carter, the new features are available through the Anchore UI and can also be managed from third-party apps through the software’s API.

Copyright © 2022 IDG Communications, Inc.