Managing cryptography with CBOMkit
In the face of the quantum threat to cryptography and increasing regulatory requirements, cryptography governance is becoming increasingly critical.
IBM Research has developed and open-sourced CBOMkit to empower developers and the open-source community to actively manage cryptographic assets in their projects by generating, visualizing, analyzing and storing inventories using the CycloneDX cryptography bill of materials (CBOM) standard. These capabilities will support developers in getting familiar with CBOM, identifying cryptographic assets in their code and dependencies, and providing CBOMs of their projects and applications to users.
As cryptography protects our IT against data breaches and disruption, it is critical to find vulnerable instances and remediate them. This is particularly important at a time when quantum computing threatens common cryptographic methods, making it essential to replace them with quantum-safe variants.
The CycloneDX CBOM standard, which was originally invented by IBM Research, provides a machine-readable way to document and exchange information about the presence of cryptographic assets in applications, enabling automated security analysis, compliance checking, and risk management. To simplify the generation and management of CBOMs and support adoption, IBM Research has developed and open-sourced a set of tools in the CBOMkit. By making these tools available, we aim to encourage and enable developers to create CBOMs of their projects and support adoption of CBOMs for easier management of cryptographic assets in software dependencies.
