SBOM & Dependency Vulnerability Management
Modern software consists of numerous libraries, frameworks, and external components. Many of these dependencies originate from open-source projects or third-party libraries. However, without clear transparency regarding the software components used, it becomes difficult to reliably assess security risks.
A Software Bill of Materials (SBOM) creates this transparency. It documents all software components of a system or product. Based on this, security vulnerabilities in used libraries can be systematically identified and monitored.
We support companies in creating SBOMs and in the continuous analysis of vulnerabilities in software dependencies. This results in a structured process for software supply chain security and the secure handling of security gaps in software components.
Software Bill of Materials (SBOM)
A software bill of materials describes all the components that make up a software program or digital product. These include, among other things, open-source libraries, frameworks, third-party components, and internal modules.
Many software projects lack a complete overview of the components used. Dependencies are added, updated, or indirectly integrated via other libraries during development. Without structured documentation, a complex and difficult-to-understand software landscape quickly emerges.
Creating a SBOM (Software Building Management Plan) makes it transparent which software components are actually being used. This transparency is an important basis for security analyses, risk assessments, and regulatory requirements.
We support companies in the automated creation of SBOMs and the integration of corresponding processes into development and build environments.
Identifying vulnerabilities in software dependencies
Auf Basis einer SBOM lassen sich Sicherheitslücken in verwendeten Softwarekomponenten gezielt analysieren. Viele Bibliotheken enthalten bekannte Schwachstellen, die in öffentlichen Datenbanken dokumentiert sind.
Durch den Abgleich von SBOM-Komponenten mit Vulnerability-Datenbanken können Sicherheitsrisiken frühzeitig erkannt werden. Neue Schwachstellen in verwendeten Bibliotheken werden kontinuierlich überwacht und bewertet.
Wir unterstützen Unternehmen bei der Implementierung von Dependency-Scanning-Prozessen, die Sicherheitslücken in Softwarekomponenten automatisch identifizieren und priorisieren. Dadurch können Updates gezielt geplant und Sicherheitsrisiken reduziert werden.
Dieser Ansatz ermöglicht ein kontinuierliches Monitoring der Software Supply Chain und schafft eine fundierte Grundlage für Sicherheitsentscheidungen im Softwarebetrieb.
Transparency regarding software components and the structured handling of vulnerabilities in dependencies are central requirements of modern cybersecurity regulation.
The creation of SBOMs and the analysis of dependency vulnerabilities support, among other things, requirements from:
• Cyber Resilience Act – Transparency regarding software components and coordinated vulnerability treatment
• NIS2 – Risk management and secure software supply chains
• BSI C5 – secure software development and handling of security vulnerabilities
• Telecommunications Act (§166) – technical security measures for operators of critical networks
These requirements can be implemented in a technically verifiable manner through structured SBOM processes and continuous dependency monitoring.