TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
Open Source Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Apache Cassandra Poll: AI Use Cases Are Set to Triple
Nov 8th 2024 11:00am, by Patrick McFadin
Valkey: What’s New and What’s Next?
Nov 7th 2024 12:00pm, by Heather Joslyn
To Solve Kubernetes Sprawl, Try Kubernetes 'All the Way Down'
Nov 4th 2024 6:11am, by Randy Bias
OpenPaX, a New Linux Memory Security Patch, Arrives
Nov 1st 2024 10:41am, by Steven J. Vaughan-Nichols
OpenNext Gets Closer to Making Next.js Truly Portable
Nov 1st 2024 9:00am, by Mary Branscombe
10 Tips for Kubernetes Architects on K8s' 10th Birthday
Nov 5th 2024 12:00pm, by Raghavan "Rags" Srinivas
Terraform and the Tooling Multiverse in the Future of IaC
Nov 5th 2024 6:34am, by Ido Neeman
The Birth and Continuing Evolution of Platform Engineering
Nov 5th 2024 5:00am, by Todd R. Weiss
Why Companies Are Ditching the Cloud: The Rise of Cloud Repatriation
Nov 5th 2024 4:00am, by Rob Pankow
Make Workloads, Not Infrastructure: Redefining K8s Platforms
Nov 1st 2024 7:00am, by Will Stewart
Flatcar Container Linux Hitches onto the CNCF
Oct 31st 2024 2:00pm, by Joab Jackson
Terraform Beta Supports Multicloud, Complex Environments
Oct 15th 2024 1:00pm, by Loraine Lawson
How Nvidia Scaled Its Cloud Services With KubeVirt
Oct 4th 2024 6:18am, by Jonathan Gershater
Is Kubernetes Green?
Oct 2nd 2024 8:24am, by Anne Currie
Cloud SDKs Can Chain You Down
Oct 1st 2024 8:42am, by Rak Siva
KubeEdge Extends Cloud Native Beyond the Data Center
Oct 15th 2024 9:00am, by Joab Jackson
Integration of AI With IoT Brings Agents to Physical World
Oct 8th 2024 7:46am, by Janakiram MSV
From VMs to AI: How Edge Computing Is Evolving
Sep 13th 2024 3:54am, by Ben Cohen
The New 2GB Raspberry Pi 5: Another Option for Linux Sysadmins
Sep 2nd 2024 9:00am, by Damon M. Garn
Golang Pub/Sub: Why It’s Better When Combined With GoFr
Aug 28th 2024 6:00am, by Robert Kimani
Improve Microservices With These New Load Balancing Strategies
Nov 8th 2024 3:00am, by Dhruv Kumar Seth
How To Fail at Microservices
Nov 1st 2024 3:00am, by Ashley Davis
Shift Left Meets Kafka: Testing Event-Driven Microservices
Oct 30th 2024 1:00pm, by Arjun Iyer
Why Duplicating Environments for Microservices Backfires
Oct 24th 2024 11:00am, by Arjun Iyer
Microservices Testing: Feature Flags vs. Preview Environments
Oct 14th 2024 7:30am, by Arjun Iyer
TrueNAS, a Linux Distro for Low Cost Network-Attached Storage
Oct 26th 2024 8:00am, by Jack Wallen
What Is the Future of the .io Domain?
Oct 18th 2024 8:00am, by Jack Wallen
Before Facebook, the Late Ward Christensen Booted Up the First Social Network
Oct 17th 2024 2:00pm, by Steven J. Vaughan-Nichols
Cloud Native Networking as Kubernetes Starts Its Second Decade
Oct 16th 2024 7:00am, by Nico Vibert
Internet Architecture Board ISO Future Networking Tech
Sep 29th 2024 8:00am, by Joab Jackson
Why Platform Engineers Are Embracing WebAssembly for Serverless
Oct 30th 2024 10:00am, by Matt Butcher
Azure Durable Functions: FaaS for Complex Workflows
Aug 15th 2024 8:16am, by Lily Ma and David Justo
Momento: Caching at Scale and More, Without All the Hassle
Jul 22nd 2024 11:23am, by Susan Hall
WebAssembly and Kubernetes Go Better Together: Matt Butcher
May 22nd 2024 2:00pm, by Raghavan "Rags" Srinivas
How to Conquer Cold Starts for Better Performance
Apr 25th 2024 9:17am, by Henry Hamid Safi
SlateDB: 'Bottomless' Databases Built on Cloud Object Stores
Nov 7th 2024 7:00am, by Joab Jackson
Cache vs. Database: Has Performance Converged?
Nov 6th 2024 11:00am, by Felipe Cardeneti Mendes
Shrinking Embeddings for Speed and Accuracy in AI Models
Nov 4th 2024 6:43am, by Bonnie Chase
Etckeeper: Back Your/etc/Files to Git for Safekeeping
Nov 2nd 2024 7:00am, by Jack Wallen
TrueNAS, a Linux Distro for Low Cost Network-Attached Storage
Oct 26th 2024 8:00am, by Jack Wallen
AI Large Language Models Frontend Development Software Development API Management Python JavaScript TypeScript WebAssembly Cloud Services Data Security
Navigating the Turbulent Waters of AI Security
Nov 5th 2024 8:30am, by
Running Llama 3.2 on AWS Lambda
Nov 4th 2024 8:30am, by
Shrinking Embeddings for Speed and Accuracy in AI Models
Nov 4th 2024 6:43am, by
How Liquid AI Is Challenging Transformer-Based AI Models
Nov 3rd 2024 7:00am, by
The 10x Developer vs. AI: Will Tech’s Elite Coder Be Replaced?
Nov 3rd 2024 5:00am, by
Running Llama 3.2 on AWS Lambda
Nov 4th 2024 8:30am, by
How Liquid AI Is Challenging Transformer-Based AI Models
Nov 3rd 2024 7:00am, by
How To Create Software Diagrams With ChatGPT and Claude
Oct 31st 2024 8:00am, by
GraphRAG 101: Increasing GenAI Accuracy and Completeness
Oct 31st 2024 6:15am, by
Why Metadata and Fine-Tuning Are Key To Scaling NLQ to SQL
Oct 31st 2024 3:00am, by
Top 10 JavaScript SEO Tricks Every Developer Should Know
Nov 8th 2024 9:00am, by
Implement Behavior-Driven Development in Android With Cucumber
Nov 8th 2024 7:32am, by
Harnessing Visual Appeal Is the Key to Gaining Users in a Crowded App Space
Nov 8th 2024 5:00am, by
Bluesky's AT Protocol: Pros and Cons for Developers
Nov 7th 2024 8:00am, by
Vercel Makes Changes to Next.js To Simplify Self-Hosting
Nov 5th 2024 11:00am, by
The Key Fundamentals of Programming You Should Know
Nov 8th 2024 6:00am, by
Harnessing Visual Appeal Is the Key to Gaining Users in a Crowded App Space
Nov 8th 2024 5:00am, by
Tips and Tricks for Clean, Readable Python Code
Nov 7th 2024 10:00am, by
Maximizing Headless Architecture: A Guide for Developer Teams
Nov 7th 2024 5:00am, by
Agile Data Management Explained and Demystified
Nov 6th 2024 3:00am, by
Improve Microservices With These New Load Balancing Strategies
Nov 8th 2024 3:00am, by
Running Llama 3.2 on AWS Lambda
Nov 4th 2024 8:30am, by
The Future of APIs: Lessons in Security, Composability, AI
Oct 28th 2024 6:24am, by
REST vs. GraphQL: Solving API Challenges in Modern Data Transfers
Oct 24th 2024 10:00am, by
AI Agents Are Redefining the Future of Identity and Access Management
Oct 22nd 2024 10:00am, by
The Key Fundamentals of Programming You Should Know
Nov 8th 2024 6:00am, by
Tips and Tricks for Clean, Readable Python Code
Nov 7th 2024 10:00am, by
Write Better Python With List Comprehensions
Nov 5th 2024 7:30am, by
Why Should Python Developers Care About Testing
Nov 1st 2024 7:58am, by
Python 3.14.0 Alpha Is Now Available: Here's What's Included
Oct 31st 2024 5:00am, by
Top 10 JavaScript SEO Tricks Every Developer Should Know
Nov 8th 2024 9:00am, by
Vercel Makes Changes to Next.js To Simplify Self-Hosting
Nov 5th 2024 11:00am, by
OpenNext Gets Closer to Making Next.js Truly Portable
Nov 1st 2024 9:00am, by
Hiring a Javascript Dev? Use These Interview Techniques
Oct 29th 2024 3:00am, by
Newly Stable Next.js Compiler Faster, Supports Larger Builds
Oct 25th 2024 7:51am, by
How OOP Developers Can Get To Know TypeScript Through Deno
Oct 19th 2024 8:00am, by
Configure Microservices in NestJS: A Beginner’s Guide
Oct 11th 2024 12:00pm, by
Why ChatGPT Shifted From Next.js To Remix: Some Theories
Sep 14th 2024 8:05am, by
Is React Now a Full Stack Framework? And Other Dev News
Aug 31st 2024 5:00am, by
Implementing IAM in NestJS: The Essential Guide
Aug 30th 2024 6:26am, by
Why Platform Engineers Are Embracing WebAssembly for Serverless
Oct 30th 2024 10:00am, by
Step-by-Step Guide To Using WebAssembly for Faster Web Apps
Oct 17th 2024 10:00am, by
Spin + StarlingMonkey Equals JavaScript for WebAssembly
Oct 14th 2024 8:30am, by
Traefik 3.0 Works Better With WebAssembly and OpenTelemetry
Sep 17th 2024 1:30pm, by
Arcjet Launches: Wasm-Powered Security for Modern Developers
Sep 10th 2024 2:05pm, by
Maximizing Headless Architecture: A Guide for Developer Teams
Nov 7th 2024 5:00am, by
You Must Prioritize Compliance in Modern Infrastructure
Nov 7th 2024 3:00am, by
Why We Need a New IfC Approach to Meet HPC Challenges
Nov 6th 2024 10:00am, by
Cloud vs. On-Prem: Comparing Long-Term Costs
Nov 6th 2024 5:00am, by
Top Costly Cloud Mistakes — and How To Sidestep Them
Nov 5th 2024 3:00am, by
How Time Plays a Crucial Role in Aggregating Mobile Data
Nov 7th 2024 6:00am, by and
Amazon to Save Millions Moving From Apache Spark to Ray
Nov 6th 2024 7:00am, by
Agile Data Management Explained and Demystified
Nov 6th 2024 3:00am, by
REST vs. GraphQL: Solving API Challenges in Modern Data Transfers
Oct 24th 2024 10:00am, by
AI Engineering: Level Up Your IT Career
Oct 23rd 2024 7:19am, by and
You Have an SBOM — What Are the Next Steps?
Nov 8th 2024 10:00am, by
You Must Prioritize Compliance in Modern Infrastructure
Nov 7th 2024 3:00am, by
Chaos to Control: 3 Steps for Automating Incident Management
Nov 6th 2024 9:00am, by
Avoid the Crypto Tar Pit: Prepare for Quantum Cybersecurity
Nov 6th 2024 8:00am, by
Navigating the Turbulent Waters of AI Security
Nov 5th 2024 8:30am, by
Platform Engineering Operations CI/CD Tech Careers Tech Culture DevOps Kubernetes Observability Service Mesh
Improve Developer Onboarding With an Internal Developer Portal
Nov 8th 2024 8:02am, by Jonathan Gruber
The Birth and Continuing Evolution of Platform Engineering
Nov 5th 2024 5:00am, by Todd R. Weiss
Make Workloads, Not Infrastructure: Redefining K8s Platforms
Nov 1st 2024 7:00am, by Will Stewart
Platform Engineering's Most Critical First Decision
Nov 1st 2024 4:00am, by Todd R. Weiss
Sicredi: From Manual Banking to Platform Engineering
Oct 30th 2024 7:30am, by Todd R. Weiss
You Have an SBOM — What Are the Next Steps?
Nov 8th 2024 10:00am, by Aaron Linskens
Cache vs. Database: Has Performance Converged?
Nov 6th 2024 11:00am, by Felipe Cardeneti Mendes
Chaos to Control: 3 Steps for Automating Incident Management
Nov 6th 2024 9:00am, by Joseph Mandros
Avoid the Crypto Tar Pit: Prepare for Quantum Cybersecurity
Nov 6th 2024 8:00am, by Tomas Gustavsson
Cloud vs. On-Prem: Comparing Long-Term Costs
Nov 6th 2024 5:00am, by Justin Garrison
You Have an SBOM — What Are the Next Steps?
Nov 8th 2024 10:00am, by Aaron Linskens
Improve Developer Onboarding With an Internal Developer Portal
Nov 8th 2024 8:02am, by Jonathan Gruber
How K8s CPU Requests and Limits Actually Work — Chapter 2
Nov 7th 2024 11:00am, by Reid Vandewiele
How Kubernetes Requests and Limits Really Work
Nov 5th 2024 10:00am, by Reid Vandewiele
DevOps Moves Beyond Automation to Tackle New Challenges
Nov 4th 2024 7:27am, by Eric Newcomer
Upskilling Engineering Teams for the AI Era 
Nov 7th 2024 9:00am, by Sabrina Farmer
The 10x Developer vs. AI: Will Tech’s Elite Coder Be Replaced?
Nov 3rd 2024 5:00am, by Yang Li
All Things Open: What’s Your Future as a Developer? 
Oct 31st 2024 1:30pm, by Heather Joslyn
Hiring a Javascript Dev? Use These Interview Techniques
Oct 29th 2024 3:00am, by Artem Barmin
AI Engineering: Level Up Your IT Career
Oct 23rd 2024 7:19am, by Fatih Nar and Roy Chua
Before Facebook, the Late Ward Christensen Booted Up the First Social Network
Oct 17th 2024 2:00pm, by Steven J. Vaughan-Nichols
Zorin OS: The Perfect Linux Distro for Migrating From Windows
Oct 5th 2024 8:00am, by Jack Wallen
Lost 1983 Programming Language Resurrected by Retro Compute YouTube Channel
Oct 5th 2024 6:00am, by David Cassel
Developer Relations Foundation Aims to Clarify Role
Oct 2nd 2024 12:00pm, by Loraine Lawson
Social Web Foundation Launched — How In Is W3C on Fediverse?
Sep 24th 2024 6:00am, by Richard MacManus
Improve Microservices With These New Load Balancing Strategies
Nov 8th 2024 3:00am, by Dhruv Kumar Seth
Why We Need a New IfC Approach to Meet HPC Challenges
Nov 6th 2024 10:00am, by Doug Sillars
Chaos to Control: 3 Steps for Automating Incident Management
Nov 6th 2024 9:00am, by Joseph Mandros
Agile Data Management Explained and Demystified
Nov 6th 2024 3:00am, by Daniel Quadros
Top Costly Cloud Mistakes — and How To Sidestep Them
Nov 5th 2024 3:00am, by Kyle Campos
How K8s CPU Requests and Limits Actually Work — Chapter 2
Nov 7th 2024 11:00am, by Reid Vandewiele
10 Tips for Kubernetes Architects on K8s' 10th Birthday
Nov 5th 2024 12:00pm, by Raghavan "Rags" Srinivas
How Kubernetes Requests and Limits Really Work
Nov 5th 2024 10:00am, by Reid Vandewiele
The Birth and Continuing Evolution of Platform Engineering
Nov 5th 2024 5:00am, by Todd R. Weiss
To Solve Kubernetes Sprawl, Try Kubernetes 'All the Way Down'
Nov 4th 2024 6:11am, by Randy Bias
How Time Plays a Crucial Role in Aggregating Mobile Data
Nov 7th 2024 6:00am, by David Rifkin and Juan Carrillo
Cloud Apps Slow? Network Throttling Could Be Why
Nov 4th 2024 10:00am, by Kent Kawahara
How We Engineered Capturing Android ANRs in OTel
Oct 31st 2024 12:00pm, by Jamie Lynch
C# Logging Key Considerations with .NET
Oct 29th 2024 6:28am, by Denis Troller
LLo11yPop: Nvidia, Grafana Working on LLM for Observability
Oct 23rd 2024 1:00pm, by B. Cameron Gain
Tetrate, Bloomberg Collaborate on Envoy-Based AI Gateways
Oct 7th 2024 2:00pm, by Steven J. Vaughan-Nichols
Istio 1.23 Drops the Sidecar for a Simpler 'Ambient Mesh'
Aug 19th 2024 12:59pm, by Joab Jackson
Can Cilium Be a Control Plane Beyond Kubernetes?
Jul 28th 2024 6:00am, by Alex Williams
6 Tips to Integrate Container Orchestration and APM Tools
May 20th 2024 11:03am, by Chris Cooney
Enhancing Business Security and Compliance with Service Mesh
Apr 1st 2024 10:00am, by Ninad Desai
CI/CD / Operations / Security

You Have an SBOM — What Are the Next Steps?

Combining software composition analysis with SBOMS can help you build a comprehensive approach to managing and securing your software supply chain.
Nov 8th, 2024 10:00am by
Featued image for: You Have an SBOM — What Are the Next Steps?
Image from 33rdtimeluckystudio on Shutterstock

Just as architects rely on blueprints to know the details of a building, software developers use a specific resource to track each component within their applications: the software bill of materials (SBOM).

As a detailed inventory, an SBOM helps you know every component within your software supply chain, from proprietary code to open source. By keeping a comprehensive list, you can be better equipped to enhance security and quickly address vulnerabilities.

But a key question remains: Once you have an SBOM, what are the next steps?

Validate Your SBOM

An SBOM is more than a list of components. It’s an essential document to help maintain software transparency and integrity. The true value emerges when you validate an SBOM and confirm its contents accurately represent the current state of your software.

Consider the following steps for SBOM validation:

  1. Verify component accuracy: Use automated tools to cross-check the SBOM against your actual software dependencies, and update the SBOM to correct discrepancies.
  2. Confirm version consistency: Ensure the versions listed match those in your build environment to identify any outdated components needing updates.
  3. Check licensing information: Verify each component’s licensing details are accurate to maintain compliance and avoid legal risks.
  4. Scan for known vulnerabilities: Use software composition analysis (SCA) tools to compare SBOM components against vulnerability databases, ensuring they are free from high-risk issues.
  5. Document validation results: Keep records of your validation process and any remediation actions to streamline future audits and enhance security responses.

Consistent SBOM validation enhances decision-making, enables tracing of component origins and improves security. By offering transparency into all components, it reduces reliance on vendor claims and streamlines audits. Regular validation also ensures components are up to date, supporting a proactive security posture.

Add Software Composition Analysis

One of the most effective ways to secure your software is with a combined practice of SBOM management and SCA. While SBOMs provide a list of components, SCA tools analyze those components for licensing issues, compliance risks and vulnerabilities.

Together, SBOM management and SCA build a comprehensive approach to managing your software supply chain.

As a dual approach, consider these tactics:

  • Cross-check compliance and security: Once validated, an SBOM can cross-reference SCA scan results. This helps detect discrepancies, ensuring SBOM and SCA findings align, and addresses licensing, quality and security issues.
  • Augment SCA with SBOM insights: SBOMs can enhance SCA scans by shedding light on harder-to-assess areas like databases or operating systems, ensuring a more thorough risk evaluation.

SBOM management with SCA creates a holistic view of your software and helps maintain its integrity. This facilitates proactive risk management, ensures compliance with regulatory standards and secures your software against potential threats.

Integrate SBOMs Into the Development Life Cycle

To maximize SBOM benefits, integrate them into your SDLC and automate the process whenever possible. This ensures real-time updates, maintaining accuracy as your software evolves. Regular updates reduce the risk of outdated data, enhancing transparency and security.

Automating SBOM creation by integrating them into CI/CD pipelines ensures an SBOM with each build, providing a reliable record of software components. By setting up quality gates in your CI/CD workflows, you can scan SBOMs for security vulnerabilities and licensing issues, stopping noncompliant components from moving forward in deployment.

During quality assurance (QA), SBOMs are vital for ensuring compliance and security before release. They ensure each release meets industry standards and best practices. By integrating SBOMs into CI/CD and QA processes, development teams establish a robust framework for transparency and compliance, boosting software supply chain security at all stages.

Manage and Monitor SBOMs for Vulnerabilities

Effective SBOM management extends beyond the development phase. Once in production, SBOMs need to be continuously monitored to ensure ongoing security and compliance, especially as new vulnerabilities emerge.

To effectively monitor SBOMs, consider these best practices:

  • Maintenance of an SBOM archive: Create an up-to-date repository for all SBOMs related to software in production or delivered to customers. This archive is vital for auditing and tracking component changes throughout the SDLC.
  • Long-term retention: Keep SBOMs for the entire duration a software version is in use. This supports compliance and enables quick responses to vulnerabilities.
  • Proactive risk management: When you find a vulnerability, use your SBOM archive to quickly identify and fix the affected components. This enables rapid remediation and reduces exposure.
  • Third-party SBOM monitoring: Regularly monitor SBOMs from third-party vendors to improve your response to zero-day vulnerabilities and software supply chain attacks.

With these best practices, you can mitigate risks and protect your software from security threats while maintaining compliance with industry standards.

Leverage SBOMs for Long-Term Security

As SBOM adoption grows, organizations must enhance their management practices to ensure robust software security, particularly with open source.

By focusing on validation, integration and monitoring, you can count on your SBOMs as powerful resources for managing software security and compliance.

This approach not only creates a more transparent and accountable software development process, but also strengthens defenses against vulnerabilities and software supply chain attacks.

TRENDING STORIES
Group Created with Sketch.
Aaron Linskens is a technical writer at Sonatype. His expertise encompasses technical documentation, user advocacy, and information design. Positioned at a crossroads of technical communication and software supply chains, he aims to enhance understanding and facilitate user engagement.
Read more from Aaron Linskens
SHARE THIS STORY
TRENDING STORIES
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.