In the current market many organizations want to have complete control over their security posture. This leads these organizations to request a Software Bill Of Materials (SBOM) from vendors. SBOMs provide a nested description of dependencies, metadata, and other software artifacts related to its architecture. Unfortunately, vendors sometimes resist sharing this data for fear of also disclosing their closely held proprietary information. Additionally, customers lack a means to verify the accuracy of vendor released SBOMs. Our research team’s proposed capstone project revolves around the concept of developing an escrow service for SBOMs that will enable software vendors to keep their intellectual property confidential while disclosing supply chain vulnerabilities to clients. Our goal is to provide client security teams a way to verify whether the SBOMs of proprietary software they are using are accurate, automatically alert them if any of the artifacts have any associated CVEs, and to provide enough confidentiality to the vendors to keep their software components confidential. We believe our project aligns with the CLTC’s goals relating to cybersecurity governance and risk management by increasing the use of SBOM data in disclosing vulnerabilities. We also believe that our project aligns with the CLTC’s goals relating to the cybersecurity futures 2030 initiative because of our usage of blockchain technology and the potential usefulness of SBOMs in global strategic planning for cybersecurity infrastructure.
