With digital systems woven into every aspect of business and everyday life, maintaining trust and robust security is more crucial than ever. Cryptography forms the backbone of digital trust, but as threats evolve, organizations must get smarter about tracking and managing their cryptographic assets.
Enter the Cryptographic Bill of Materials (CBOM), a new approach that brings visibility and accountability to cryptographic practices, setting a higher standard for transparency and compliance.
Understanding the CBOM Advantage
A CBOM is a detailed inventory that lists all cryptographic elements within a system or application. It encompasses algorithms, keys, certificates, protocols, and configuration details. By meticulously documenting these assets, organizations can:
- Establish a comprehensive record of cryptographic tools and resources
- Ensure alignment with regulatory and industry security standards
- Spot and mitigate outdated or insecure cryptographic deployments
- Demonstrate transparency to clients, partners, and auditors
The need for such clarity has never been greater, especially as quantum computing brings new risks to traditional cryptographic methods. Proactive management via CBOMs helps organizations stay ahead of both compliance requirements and emerging security challenges.
IBM's Role in Shaping CBOM Standards
IBM Research Europe–Zurich has been instrumental in developing the CBOM ecosystem. Their contributions to the CycloneDX CBOM standard and the release of CBOMkit as open source in 2024 highlight a commitment to accessible, rigorous cryptographic asset management. CBOMkit offers tools for generating inventories, visualizing cryptographic usage, analyzing configurations, and securely storing sensitive data, all essential for staying ahead in security management.
Joining Forces with the Linux Foundation and PQCA
IBM recently amplified its impact by donating its CBOM tools to the Post-Quantum Cryptography Alliance (PQCA) under the Linux Foundation. This move encourages open collaboration and widespread adoption, setting the stage for continuous innovation in cryptographic security. The key tools now under the Linux Foundation umbrella include:
- Sonar-cryptography: A SonarQube plugin that scans Java and Python codebases, mapping cryptographic components and producing detailed CBOM inventories with precise asset locations.
- CBOMkit: A service that clones repositories, scans source code, and generates CBOMs, complete with a user-friendly web interface and backend integration for database storage and tool interoperability.
- CBOMkit-action: A GitHub Action that automates cryptographic asset discovery across all repository modules, generating both individual and consolidated CBOM reports to streamline CI pipeline auditing.
- CBOMkit-theia: A tool for scanning container images to identify cryptographic assets in certificates and configurations, merging these findings with source code analysis for a unified cryptographic view.
This strategic donation signals IBM’s support for open standards and community-driven cryptographic safety, empowering a broader base of users to adopt best practices.
Why Open CBOM Tools Matter for Security
By standardizing CBOMs and making sophisticated tools widely available, the open-source community can more easily meet regulatory demands and tackle new technological threats, including those posed by quantum computing. Organizations now have the means to foster transparency, expedite audits, and systematically enhance the security of their digital environments.
Conclusion
IBM’s partnership with the Linux Foundation and PQCA marks a significant leap towards collaborative, transparent cryptographic management. As cyber threats become more advanced, open initiatives like CBOM provide the essential infrastructure for resilient and trustworthy digital systems, setting the foundation for a safer digital future.
Source: IBM Research Blog, Mariana Rajado Silva, Nicklas Körtge, Andreas Schade
How CBOMs and Open Collaboration Are Transforming Cryptographic Security