From SBOM to CBOM: how runtime dependency control is changing AppSec in web development

The report is devoted to the concept of Capability BOM (CBOM) - an extended version of SBOM that describes the allowed actions of each of the application dependencies. The report will discuss in detail the principles of CBOM formation, methods of runtime control of libraries and architectural features of CBOM integration into the pipeline. Special attention will be paid to the results of recent foreign studies, which have shown that the approach can effectively prevent supply chain attacks. A comparison of CBOM with existing mechanisms will also be provided and practical recommendations for implementing the method will be given.

• Why SBOM and SCA are not enough

• CBOM concept

• Architectural approaches to runtime-enforcement CBOM (practical example of NodeShield for Node.js)

• Methodology for integrating CBOM into the GitLab CI + JFrog + SCA/DAST pipeline

• Reducing the share of supply chain attacks (data from foreign studies)

• Comparison of CBOM with classical protection methods

• Recommendations and steps for implementing CBOM in existing infrastructure