How Snyk can help secure supply chains per "A Guide to Implementing the Software Bill of Materials (SBOM) for Software Management"’ by Japan's METI
August 1, 2023
0 mins readLooking for the Japanese version of this post? Click here or switch your language using the drop-down in the footer of the site.
On July 28, Japan Ministry of Economy, Trade and Industry (METI) published A Guide to Implementing the Software Bill of Materials (SBOM) for Software Management. The METI has focused on SBOM as one of the management methodologies to secure software and services and to improve the productivity of development in companies.
Snyk provides tools to create and scan SBOMs for vulnerabilities, helping organizations meet the requirements laid out by the METI Guide. This blog explores how Snyk can help to comply with the METI's guidance.
Why the METI cares about the software supply chain — and why you should too
The background to METI's development of the SBOM guidance is the increasing number of incidents in which attacks on the software supply chain have caused significant damage: in December 2020, SolarWinds — a company that provides system management tools that were part of many software supply chains — was attacked and the companies that used their software were harmed. As a result of this incident, the implementation of SBOMs is becoming more prevalent worldwide, starting with the 2022 Executive Order by President Biden in the United States.
In Japan, the Ministry of Economy, Trade and Industry (METI) held the Task Force on Software Management Methods to Ensure Cyber Physical Security (Software Task Force) from September 2019 to discuss and confirm the benefits and effectiveness of SBOM tools. In particular, it became clear that there are advantages in software vulnerability management and license management, and, as a result, benefits in increased development productivity, and guidance on the introduction of SBOM was developed.
Phases and steps of SBOM implementation by METI
The Ministry of Economy, Trade and Industry (METI) has divided the SBOM implementation into three major phases in their guide.
Environment and system development phase
SBOM creation and sharing phase
SBOM operation and management phase
The following is an overview of how Snyk supports each of these phases.
In the environment creation and system development phase, we will introduce Snyk's efforts in the selection, introduction, configuration, and learning of SBOM tools.
First, Snyk supports standard SBOM formats such as Cyclone DX and SPDX. In addition, Snyk is a Japanese legal entity and has developed a support service provided in Japanese by Japanese; support for the installation and configuration of SBOM tools can also be provided in Japanese. Snyk specializes in helping organizations secure their software supply chain and eliminating vulnerabilities. We'll share best practices based on our expertise and experience.
During the SBOM creation/sharing phase and the operation/management phase, Snyk can help automate SBOM output by incorporating scans into CI/CD or by working with SCMs such as GitHub to ensure that you always have the latest information. We can help you keep your information up-to-date.
Develop fast, stay secure.
If you have any questions regarding SBOM compliance, please feel free to contact us in English or Japanese.