A year ago, a vulnerability was discovered in the open-source Spring Boot framework. Discover engineers were tasked with finding all applications within Discover that used the framework to assess the scope of impact and identify the teams affected. This task required a team of product owners and subject matter experts and took numerous business days to find all instances of Spring Boot used within Discover.
Discover is not alone in this challenge to quickly understand exactly what software libraries and versions are being used across the thousands of applications in its enterprise. Managing a vast sprawl of both open-source and proprietary systems and software can be challenging for many companies. Identifying what software is consumed by your company is critical to being able to quickly identify vulnerability impact, secure systems, and react to regulatory and compliance demands.
The Discover Research and Development (R&D) team set out to solve this problem. They created the Operational Data Store (ODS) Framework, which uses a common data model based on the CycloneDX Software Bill of Material (SBOM) specification. The ODS extracts data from the myriad of systems and tools used during application build and deployment to compose an aggregate data model of the operational state for the enterprise. This enables users to efficiently query all operational data for a complete view of an application, including open-source libraries used, linkages between applications and APIs, vulnerabilities, scorecards, and numerous other internal and community data.
Overall, the ODS Framework offers a systematic process to connect and analyze SBOM and community data for operational reporting, attestations, and actionable insights, which helps mitigate risks associated with software management and consumption.
Defining the problem
Operational Data Stores (ODS) provide real-time data access via queries that output composite views of all applications in the enterprise by aggregating SBOMs and other operational data.
Some common problems companies have when trying to understand the operational state of their application ecosystem include:
- Data about specific software sit in disparate systems and are indexed using various data models
- Correlating silos of data into actionable insights is difficult
- Manually searching through disparate systems to understand a SBOM is time consuming and often unreliable and incomplete
- Overwhelming complexity and volume of SBOM information that enterprises face, especially with the increased adoption of in-house development and software vendors
With the creation of international standards like Cyclone DX, the software industry can now implement the notion of a bill of materials used in shipping or manufacturing. CycloneDX was created by the OWASP and is a SBOM standard that provides advanced supply chain capabilities to reduce cyber risk.
Vendors have embraced SBOMs as a data model standard. Because of that commonality, we at Discover were able to gather SBOMs from disparate systems and weave them together into an extended CycloneDX data model that can be used to create a specialized data lake, operational data store, or ODS.
How it Works
Our Discover Operational Data Store framework supports multiple applications that allow for inspections at scale. Let’s look at an overview of how it works:
As this image shows, the ODS Framework can work with a variety of data source clients.
To achieve a well-functioning ODS, a framework needs:
- A standardized set of extendable data models to help enterprises customize their own software supply chain fabric.
- A systematic process for connecting and analyzing SBOM data for operational reporting, risk attestations, and actionable insights.
- An extendable Extract-Transform-Load (ETL) architecture for ingesting SBOM data into the ODS at any desirable frequency per data source.
- An enterprise-specific data model that extends industry standards such as Cyclone DX.
- An API server for data queries and reporting and an extendable client application layer.
On top of ODS, teams can build custom applications that leverage specific data to turn them into actions. For instance, at Discover, we've built applications that query our systems for open-source libraries and components and gives teams:
- Guidance for open-source software packages, including version information, community health, and industry-based scorecards
- A view of the compliance of open-source software components against risk controls
- The ability to attest to when and how teams will update their open-source software libraries, with automated email reminders when the due date draws near.
Benefits
Building customized applications on top of the ODS framework has enabled teams at Discover to quickly respond to audit queries, responding to different use cases relevant to software inspection in minutes compared to what previously took days or weeks. Additionally, the use of the ODS framework has provided an analysis and view of software dependencies that enables teams to proactively see and update any outdated library or software before it becomes problematic.
Conclusion
With the ODS Framework in place, employees across Discover are now equipped with greater observability and oversight of the company’s expansive technology ecosystem, resulting in improved risk mitigation, data reporting, and decision-making. Discover is now considering the viability of the ODS Framework as an open-source contribution.
