Select Page

Delivery Bill of Materials (DeliveryBOM)

Track security, compliance, enforcement of your application delivery and deployment process

The Delivery Bill of Materials (DeliveryBOM) takes the SBOM one step further to capture a comprehensive, consolidated record of every step in the applications software delivery and deployment process. Security checks, approvals, policy enforcement, and audits are all in one place.

The DeliveryBOM allows DevSecOps and AppSec teams to extend the security oversight beyond code commit and demonstrate policy compliance at scale.

Delivery Bill of Materials (DeliveryBOM)

What is a Delivery Bill of Materials?

The software bill of materials (SBOM) is quickly becoming a requirement for a secure software supply chain. The SBOM, however, only captures what happened at Build. How do you get visibility and ensure compliance for the rest of the application lifecycle, from Build to Production Deployment?

The Delivery Bill of Materials (DeliveryBOM) goes beyond the SBOM to capture the details of the application lifecycle all the way to deployment. The DeliveryBOM enhances software delivery transparency and attestation, and gives visibility over continuous delivery and deployment.

The DeliveryBOM is an integral component of OpsMx Secure Software Delivery solutions. It captures end-to-end visibility into all elements and related actions taken (code analysis and scanning, dependency validation, approvals, etc.) for software delivery and deployment.

What’s Included in a DeliveryBOM?

Deployment Checks and Validations

  • Deployment tool validation Configuration validation
  • Quality, performance, reliability and business impact scores for a release
  • Configuration validation
  • Approval validation
  • Automated CIS benchmark validation
Delivery Bill of Materials (DeliveryBOM)
Policy-creation-to-prevent-or-alert-security-issues-in-CICD-process.jpg

Compliance Policy Enforcement and Audit

  • Results of rules library for checks and validations
  • Automated SLSA Level 3 attestation
  • Complete audit trail with proof of actions for associated incident

Source Code Security and Vulnerability Assessment

  • Centralized code checks and reevaluations
  • Automated source code analysis at scale
  • Source code provenance and code review validation
Risk scores for quality, performance, reliability, and security
SSD provides DBOM wrt Artifact phase

Artifact Validation

  • Automated dependency validations for a build (supply chain security, malware protection, cloud security, etc.)
  • Automated SLSA Level 3 attestation
  • Dynamic vulnerability tracing (for example, using Aquasec)

Build Security Validation

  • Automated build server validation
  • Unit test coverage check and validation
  • Build pipelines validation
Risk scores for quality, performance, reliability, and security
E-BOOKS & BLOGS

Secure Continuous Delivery Datasheet

Read about secure, automated, and scalable CD solution to reduce risk exposure and bring greater resilience and integrity to your applications

Top Reasons to Consider Deployment Security

Learn how radical changes in the delivery processes introduce new security risks and increase the attack surface.

Tackle the Threat of Software Supply Chain Attacks

Find the comprehensive solution to tackle real-time vulnerability risks and security breaches in your delivery process.

Get started with

OpsMx Delivery Shield

Companies of all sizes, from technology startups to Fortune 500 trust OpsMx

Ready for a Live Demo?

See OpsMx Delivery Shield in action!

Talk to one of our AppSec experts and get insights on:

Reducing security costs by using ASPM to consolidate toolsets.

Expanding application security visibility across the SDLC

Reducing the burden that "Shift Left" can put on developers

Prioritizing and managing the flood of vulnerabilities

Automating policy compliance and reporting.

Manage security risks of open source components

Frequently asked questions

How does DeliveryBOM differ from a traditional Software Bill of Materials (SBOM)?

A Software Bill of Materials (SBOM) is just a list of components that make up a software application, particularly keeping track of open-source and third-party components. However, OpsMx’s Delivery Bill of Materials (DBOM) provides more granular information by capturing every step in the application’s software delivery and deployment process in order to give you SDLC lifecycle visibility from code to deployment and ensure compliance.

This includes results from code analysis and scanning, deployment security checks, approvals, policy enforcement, audits, etc.

What types of information does DeliveryBOM capture throughout the application lifecycle?

OpsMx’s Delivery Bill of Materials (DBOM) consolidates data captured at every step in the application’s software delivery and deployment process. The data it captures includes results from:

  • Code analysis & scanning,
  • Source code provenance and code review validation,
  • Dependency validation & configuration validation,
  • Build security and pipeline Validation
  • Automated Security checks (CIS benchmark validation, etc.)
  • Dynamic vulnerability tracing
  • Release approvals & validations,
  • Policy enforcement,
  • Complete Audit trail with proof of actions, etc.
What are the key features of DeliveryBOM for vulnerability management and risk assessment?

OpsMs’s Delivery Bill of Materials (DBOM) is a consolidated report about software supply chain and security management in the software delivery process. DBOM includes the data such as security risk reports, quality and performance reports, testing reports, etc.

Source code analysis report, code review validation, brand protection policy, vulnerability assessment, CIS benchmarking, log analysis, reliability analysis, and business impact assessment, are some of the checks and balances that OpsMx DBOM tracks for vulnerability management and risk assessment.

How does DeliveryBOM provide audit trails and incident proof for compliance requirements?

OpsMx’s DeliveryBOM (Bill of Materials) provides detailed audit trails and incident proof by capturing all deployment activities, including policy checks, security scans, and vulnerability assessments. It records the entire deployment process, ensuring compliance with frameworks like NIST 800-53 and others.

In short, OpsMx’s DBOM offers a clear history of security actions taken, flags any non-compliant code, and provides reports to demonstrate adherence to regulatory compliance requirements.

How does DeliveryBOM handle source code provenance and code review validation?

OpsMx DeliveryBOM (Bill of Materials) captures and verifies the origin of each code component to ensure code provenance. It also tracks the entire lifecycle of the code, from commit to deployment, to ensure code traceability.

For code validation, it logs approvals, review statuses, and any associated compliance checks. These records are stored in detailed reports, making it easy to validate that proper code reviews were completed, which supports both internal governance and external audit requirements.

What support does DeliveryBOM provide for supply chain security?

OpsMx DeliveryBOM provides support for Software Supply Chain Security (SSCS) by tracking and validating each component in the SDLC. It analyzes the source code for code provenance, traceability, and validation. It also monitors dependencies, third-party libraries and open-source components for vulnerabilities and ensures code security. Monitoring system logs makes it easier to detect anomalies, unauthorized alterations, or compromised packages.

This helps safeguard the software supply chain and ensure compliance with security standards like SLSA (Supply Chain Levels for Software Artifacts).

KEEP UP TO DATE WITH OPSMX

Be the first to hear about the latest product releases, collaborations and online exclusive.