Managing cryptography with CBOMkitCryptographyQuantum SafeSecurity

In the face of the quantum threat to cryptography and increasing regulatory requirements, cryptography governance is becoming increasingly critical.

IBM Research has developed and open-sourced CBOMkit to empower developers and the open-source community to actively manage cryptographic assets in their projects by generating, visualizing, analyzing and storing with the CycloneDX Cryptography Bill of Materials (CBOM) standard. These capabilities will support developers in getting familiar with the cryptographic bill of materials (CBOM), identifying cryptographic assets in their code and dependencies, and providing CBOMs of their projects and applications to users.

Enabling cryptography governance

As cryptography protects our IT against data breaches and disruption, it is critical to find vulnerable instances and remediate them. This is particularly important at a time when quantum computing threatens common cryptographic methods, making it essential to replace them with quantum-safe variants.

The CycloneDX Cryptography Bill of Materials (CBOM) standard, which was originally invented by IBM Research, provides a machine-readable way to document and exchange information about the presence of cryptographic assets in applications, enabling automated security analysis, compliance checking, and risk management. To simplify the generation and management of CBOMs and support adoption, IBM Research has developed and open-sourced a set of tools in the CBOMkit. By making these tools available, we aim to encourage and enable developers to create CBOMs of their projects and support adoption of CBOMs for easier management of cryptographic assets in software dependencies.

CBOMkit tools

CBOM Generator for Source Code (CBOMkit Hyperion): This tool scans Git repositories for cryptography invocations in source code and produces a CBOM with findings. Hyperion identifies the use of cryptography in supported languages like Java and Python, covering popular libraries such as JCA and pyca/cryptography. All CBOMs generated by this tool are stored in the CBOM repository for later use. Learn more.

CBOM Generator for Container Images (CBOMkit Theia): CBOMkit Theia is a powerful tool developed to detect and analyze cryptographic assets in container images and directories. It is designed to generate a CBOM by scanning various sources, including local directories and Docker images. Learn more.

CBOM Viewer (CBOMkit Coeus): This standalone web service visualizes generated or uploaded CBOMs. Coeus gives an overview of the cryptographic components in a project and presents comprehensive statistics of the used cryptography, providing context for the crypographic assets. Learn more.

CBOM Compliance Engine (CBOMkit Themis): CBOMkit can evaluate CBOMs against specified policies. The current implementation includes a built-in quantum-safe check, but can be extended to accommodate user-defined compliance criteria.

CBOM Repository (CBOMkit Mnemosyne): This component collects and stores CBOMs, managed by a RESTful API. It enables efficient maintenance and retrieval of CBOM information across projects and over time.

CBOMkit Features

• Automation: By scanning repositories and generating CBOMs automatically, CBOMkit avoids error-prone manual efforts in documenting cryptographic usage.
• Observability: The CBOM viewer provides clear visualization and statistics, helping teams quickly understand their cryptography landscape.
• Compliance: Built-in compliance checks, with the ability to add custom rules, ensure that cryptographic implementations adhere to security policies and best practices.
• Integration: With its API and database, CBOMkit can be easily integrated into existing development and security workflows.
• Extensibility: The modular design allows for future extensions to support additional languages, libraries and compliance policies.

Try out CBOMkit

The CBOMkit comes with several entry points you can use to get familiar with CBOM and manage cryptographic assets in applications.

Visit our GitHub page to get started and try it out. For example, you can run the CBOM Generator on source code to produce a CBOM, or use the CBOM viewer to inspect the results (or ready-made CBOMs).