VMware Achieves SBOM Compliance for Over 100 Services with Endor Labs
The VMWare compliance team was charged with building a scalable process to collect and attest to SBOMs from all VMware business units and some external vendors. Given the scope and size of VMWare's software factory this was a massive undertaking. Read how they use Endor Labs to automatically analyze and ensure the integrity of SBOMs, and continuously monitor for risks, for over a 100 services.
The VMWare compliance team was charged with building a scalable process to collect and attest to SBOMs from all VMware business units and some external vendors. Given the scope and size of VMWare's software factory this was a massive undertaking. Read how they use Endor Labs to automatically analyze and ensure the integrity of SBOMs, and continuously monitor for risks, for over a 100 services.
The VMWare compliance team was charged with building a scalable process to collect and attest to SBOMs from all VMware business units and some external vendors. Given the scope and size of VMWare's software factory this was a massive undertaking. Read how they use Endor Labs to automatically analyze and ensure the integrity of SBOMs, and continuously monitor for risks, for over a 100 services.
The VMWare compliance team was charged with building a scalable process to collect and attest to SBOMs from all VMware business units and some external vendors. Given the scope and size of VMWare's software factory this was a massive undertaking. Read how they use Endor Labs to automatically analyze and ensure the integrity of SBOMs, and continuously monitor for risks, for over a 100 services.
The VMWare compliance team was charged with building a scalable process to collect and attest to SBOMs from all VMware business units and some external vendors. Given the scope and size of VMWare's software factory this was a massive undertaking. Read how they use Endor Labs to automatically analyze and ensure the integrity of SBOMs, and continuously monitor for risks, for over a 100 services.
“At VMware, our principle is that compliance is the outcome of a good security practice.” - Director, Corporate Compliance and GRC Transformation, VMware
After Executive Order (E.O.) 14028 was released, the Global InfoSec Compliance team at VMware was under pressure to build a scalable, repeatable process that collects SBOMs from all VMware business units and external vendors. Each SBOM would then need to be verified and signed through an approval process. While this is a massive undertaking, the silver lining was that the mandate forced stakeholders to think about their SBOM process - and they had a deadline. The E.O.was a catalyst, not the end goal. The Global InfoSec Compliance team looked for opportunities to use this “SBOM moment” to gain better visibility into risk, and improve overall security posture.
Your applications consume other services, internal and external. So when you’re creating an SBOM, you need to include your dependencies on open source software, as well as third party services. Those third party services have their own SBOM which also need to be ingested - making SBOM management and standardization a complex undertaking.
The team set out to figure out a tricky problem: How could they build a process that centrally manages thousands of internal and external SBOMs, provides another level of assurance before submitting them to executives and federal agencies, and makes it easy to go back to stakeholders and highlight relevant risks?
“Endor Labs’ support for VEX, which is considered a companion document to any SBOM, and how easily we can ingest and manage SBOMs was key to our decision.” - Director, Corporate Compliance and GRC Transformation, VMware
The Global InfoSec Compliance team put together a rigorous set of criteria of 40 different requirements. After their evaluation, they selected Endor Labs. One of the key drivers of the decision was Endor Labs’ ability to generate, and automatically annotate Vulnerability and Exploitability eXchange (VEX) documents. In addition to being an E.O. requirement, VEX allows the team to see the vulnerabilities associated with an SBOM and whether or not they are reachable (and should therefore be prioritized). On the other hand, VEX helps the team understand why certain vulnerabilities were not fixed, as the code they affect is unused.
“Endor Labs makes it easy for us to conduct our own internal risk assessment before SBOMs from our internal applications are rolled out, just like we do with ISO certifications and other audits.” - Global Head of InfoSec & GRC Strategy, VMware Cloud Services
The team at VMware quickly integrated Endor Labs into their development workflow, in such a way that every time an SBOM is generated, it gets vetted through Endor Labs. Then, if any issues arise, the relevant teams are notified so security gaps may be closed.
“Our top executives are attesting to these SBOMs. We have a duty of care to ensure that we produce high integrity SBOMs. If we don’t know all of our direct and transitive dependencies, have missing components, or are unable to quickly validate things like the deployment build matching the declared source, the SBOM cannot be complete. This is where having Endor Labs is crucial - it helps us identify all dependencies, understand the impact of risk, and gives us the trust and assurance to back and commit to our leadership that we have a high integrity SBOM.” - Director, Corporate Compliance and GRC Transformation, VMware
The team can now:
- Ingest and centrally manage 1st and 3rd party SBOM/VEX documents for over 100 services
- Automatically analyze and ensure the integrity of SBOM at scale
- Understand the risk each SBOM might present via granular visibility
- Continuously monitor and be alerted to new risks, with the intelligence to quickly make remediation decisions
“From an efficiency perspective, Endor Labs helps us go home early. The ability to continuously monitor for new risks in VEX documents, and then quickly pinpoint which component is vulnerable, at what scale and what should be the priority - saves us a lot of time.” - Director, Corporate Compliance and GRC Transformation, VMware