Software Supply Chain Security
SBOM & Dependency Management
Complete transparency over your software components. SBOM creation, vulnerability analysis, and continuous dependency monitoring.
What Is an SBOM?
A Software Bill of Materials (SBOM) is a complete inventory of all components, libraries, and dependencies within a software application. Analogous to a food product's ingredient list, an SBOM provides transparency into what your software contains – and which known vulnerabilities are present in those components.
Without an SBOM, organisations cannot answer a fundamental security question: if a critical vulnerability is disclosed in an open-source library, are we affected? With an SBOM, the answer is immediate. With continuous monitoring, the answer arrives automatically – before security teams even need to ask.
Regulatory Requirements
The EU Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to provide a machine-readable SBOM. NIS2 mandates supply chain security measures. The US Executive Order 14028 requires SBOMs for software delivered to federal agencies.
These requirements are converging: organisations supplying software to regulated industries or critical infrastructure are increasingly required by contract to provide SBOMs as part of vendor security onboarding. We help you meet these requirements efficiently – with automated processes that integrate into your existing build pipelines rather than creating parallel manual workflows.
SBOM Formats: CycloneDX and SPDX Compared
CycloneDX is the format recommended by the Cyber Resilience Act and OWASP, with a strong focus on security applications: CVE matching, VEX (Vulnerability Exploitability eXchange), and licence compliance are natively integrated. SPDX (Software Package Data Exchange) is the older ISO standard with broad open-source adoption – and frequently a requirement for vendors supplying US federal agencies.
We produce SBOMs in both formats and support conversion between standards, depending on your target audience and regulatory requirements. Organisations with mixed requirements – security-focused internally, compliance-focused for customers – typically need both.
Continuous Monitoring
A one-time SBOM is not enough. Dependencies change; new vulnerabilities are disclosed continuously. Our SBOM-as-a-Service provides continuous monitoring: as soon as a vulnerability is published for one of your components, you are notified – with a risk assessment and recommended action.
This transforms SBOM from a compliance checkbox into operational security intelligence. Instead of discovering that your product was vulnerable after an incident, you receive proactive notification with enough context to prioritise and act. For organisations with ISO 27001, NIS2, or CRA obligations, this turns vulnerability management from a reactive scramble into a systematic process.
Our SBOM Service
- SBOM creation (CycloneDX, SPDX)
- Dependency analysis
- CVE matching and prioritisation
- Continuous monitoring
- CI/CD integration
- Licence compliance check
- Vendor SBOM management
- CRA compliance evidence
Related Topic
CRA Compliance: The 4-Phase Model
SBOM is a core element of CRA implementation. Find the complete implementation roadmap here.
CRA ImplementationFrequently Asked Questions
Am I required to provide an SBOM?
The Cyber Resilience Act (CRA) requires manufacturers of products with digital elements to provide a machine-readable SBOM. The US Executive Order 14028 mandates SBOMs for software delivered to federal agencies. Organisations supplying software to regulated industries – financial services, healthcare, critical infrastructure – are increasingly required by contract to provide SBOMs as part of vendor security onboarding.
How long does the initial SBOM creation take?
That depends on the complexity of your software landscape. For a single application with clear build processes, 1–3 days is realistic. For complex product portfolios with multiple technology stacks, we plan 2–4 weeks for initial inventory and process setup. Once automated SBOM generation is integrated into your CI/CD pipeline, each subsequent release produces an updated SBOM in minutes.
What is VEX, and do I need it?
VEX (Vulnerability Exploitability eXchange) supplements the SBOM with statements about the actual exploitability of known CVEs: is a known vulnerability actually reachable in your specific product configuration? A package with a known CVE may not be exploitable in your deployment context if the vulnerable code path is not invoked. VEX substantially reduces false-positive workload and is increasingly part of the CRA compliance documentation requirement.
Can you manage SBOMs for third-party vendor components?
Yes. Vendor SBOM management is part of our service: we collect SBOMs from your suppliers, validate format and completeness, integrate them into your SBOM inventory, and monitor them continuously for new CVEs. This gives you visibility into the security posture of your entire software supply chain – not just the components you build yourself.
Related Services
Kontakt aufnehmen
Secure Your Software Supply Chain
Complete transparency over your dependencies – for compliance, security, and trust.