Software supply-chain attacks have increased by 650% in the past year as published by our partner Sonatype, with recent major incidents and breaches from SolarWinds, Microsoft, Kasaya and others. To close this mobile app supply-chain security gap, NowSecure today announced that it has extended the NowSecure Platform with new dynamic Software Bill of Materials (SBOM) generation capabilities available through an early access program and delivered via web views and industry-standard CycloneDX formats.
Given the critical and pervasive risks now rampant in the software supply chain and the White House Executive Order driving new federal SBOM standards, NowSecure has created an early access program to make our mobile app SBOM reports free to all software developers and corporate risk and security teams.
Using the NowSecure Platform SBOM tool in our early access program, organizations can gain visibility into four critical details of any mobile app running on iOS or Android so that they can better understand the supply-chain risks in the mobile apps they build and use:
1. the list of first party and third party libraries and frameworks directly found or identified as transitive dependencies in the compiled mobile app binary including the most current published version
2. the licenses relevant to each component of the mobile app
3. the list of endpoints and geolocation information for any detected data transmission found during dynamic analysis
4. a summary of security vulnerabilities detected while dynamically analyzing the mobile app to generate the SBOM
As the world’s first mobile SBOM security solution, NowSecure goes beyond traditional SBOM source code analysis techniques to deliver more comprehensive results. Purpose-built for mobile apps, the NowSecure Platform SBOMs are generated by statically and dynamically analyzing the compiled mobile app binary running on real iOS and Android devices, generating rich details on libraries, frameworks, API endpoints, data transmission location and summary vulnerability information. Because NowSecure analyzes the compiled mobile app binary, it can process both internally developed mobile apps and public apps found in the commercial app stores from Apple and Google, providing critical insights to enterprises using any of the more than 6 million commercial apps.
SBOMs are foundational items that should be generated for EVERY new version of a mobile app so that everyone knows what is in the software that they are using, and so that the enterprise can protect itself from critical supply-chain risks. – NowSecure CEO Alan Snyder
The NowSecure SBOM software provides web views and industry-standard CycloneDX data feeds to deliver immediate, actionable benefits that include:
- Discover and gain visibility into the libraries/frameworks included in all mobile apps
- Pinpoint libraries/frameworks that are using older versions
- Identify components that remain but were previously required to be removed
- Uncover component licenses that violate internal and external policies
- Understand where data is going (including unapproved APIs and destinations)
- Expose summary vulnerability information that requires further testing and analysis
CycloneDX is a new specification from OWASP focused on standardizing interoperability of SBOM data. “The CycloneDX SBOM standard is a result of security experts and industry coming together to create an SBOM standard that delivers the transparency and interoperability necessary to communicate software inventory and the relationships across different systems,” said Steve Springett, chair of the OWASP CycloneDX project. “We’re excited that NowSecure supports the CycloneDX SBOM standard — a tremendous victory for the mobile space and for NowSecure customers.”
“Mobile apps are the new gateway to the enterprise, and first-party and third-party libraries and frameworks in those mobile apps have become a primary path for attacks,” said NowSecure CEO Alan Snyder. “SBOMs are foundational items that should be generated for EVERY new version of a mobile app so that everyone knows what is in the software that they are using, and so that the enterprise can protect itself from critical supply-chain risks. Organizations are already doing this for web apps and will now be able to get much needed observability into their mobile app supply chain.”
Sign up to get your free SBOM 10-pack today here.