In response to new quantum threats to cryptography and increasing regulatory pressure, IBM Research has unveiled a new toolset called CBOMkit. According to IBM Research, this open source initiative is designed to help developers manage their crypto assets more effectively by leveraging the CycloneDX Cryptography Bill of Materials (CBOM) standard.
Enable Crypto Governance
Encryption serves as an important defense against data breaches and disruptions. However, the advent of quantum computing presents significant challenges to traditional encryption methods, necessitating a shift toward quantum-safe alternatives. Originally developed by IBM Research, the CycloneDX CBOM standard provides a machine-readable format for documenting and exchanging crypto-asset information, facilitating automated security analysis and compliance checks.
IBM Research’s CBOMkit aims to encourage widespread adoption among developers by simplifying CBOM creation and management. By making these tools available, IBM seeks to simplify crypto asset management within software dependencies and create a more secure development environment.
CBOMkit Tool
The CBOMkit family includes several key components:
- CBOM generator for source code (CBOMkit Hyperion): This tool scans your Git repository to detect cryptographic calls in your source code and generates a CBOM with the results. It supports languages such as Java and Python, including popular libraries such as JCA and pyca/crypto.
- CBOM generator for container images (CBOMkit Theia): Theia is designed to analyze cryptographic assets in container images and directories and generate CBOMs by scanning sources such as local directories and Docker images.
- CBOM Viewer (CBOMkit Coeus): A web service that visualizes created or uploaded CBOMs, providing an overview and detailed statistics on the cryptographic components within a project.
- CBOM Compliance Engine (CBOMkit Themis): This component evaluates CBOMs against predefined policies, including built-in quantum safety checks with extensibility for user-defined criteria.
- CBOM repository (CBOMkit Mnemosyne): Collect and store CBOM, enabling efficient maintenance and retrieval across projects via a RESTful API.
CBOMkit features
CBOMkit offers several benefits:
- automation: Reduce manual errors by automating the discovery and documentation of encryption usage.
- Observability: Provides visualizations and statistics to help you clearly understand your crypto usage.
- Compliance: Ensure security policy compliance with built-in compliance checks with space for custom rules.
- completion: Easily integrates into existing development and security workflows via API and database.
- Scalability: Designed for future expansion to support additional languages, libraries, and compliance policies.
Getting started with CBOMkit
CBOMkit provides multiple entry points for developers to become familiar with CBOM and effectively manage their crypto assets. Interested users can visit the GitHub page to explore the features. For example, developers can run the CBOM generator on source code to generate a CBOM or use a CBOM viewer to inspect the results.
Image source: Shutterstock