IBM Research Introduces CBOMkit for Enhanced Cryptography Management

In response to the emerging quantum threat to cryptography and growing regulatory pressures, IBM Research has unveiled a new toolset named CBOMkit. This open-source initiative is designed to assist developers in managing cryptographic assets more effectively by leveraging the CycloneDX Cryptography Bill of Materials (CBOM) standard, according to IBM Research.

Enabling Cryptography Governance

Cryptography serves as a crucial defense against data breaches and disruptions. However, the advent of quantum computing presents a significant challenge to traditional cryptographic methods, necessitating a shift towards quantum-safe alternatives. The CycloneDX CBOM standard, initially developed by IBM Research, offers a machine-readable format for documenting and exchanging cryptographic asset information, thus facilitating automated security analysis and compliance checks.

IBM Research's CBOMkit aims to streamline the creation and management of CBOMs, encouraging widespread adoption among developers. By making these tools available, IBM seeks to simplify the management of cryptographic assets within software dependencies, fostering a more secure development environment.

CBOMkit Tools

The CBOMkit suite includes several key components:

• CBOM Generator for Source Code (CBOMkit Hyperion): This tool scans Git repositories to detect cryptographic invocations in source code, generating a CBOM with its findings. It supports languages like Java and Python, covering popular libraries such as JCA and pyca/cryptography.
• CBOM Generator for Container Images (CBOMkit Theia): Theia is designed to analyze cryptographic assets in container images and directories, generating CBOMs by scanning sources like local directories and Docker images.
• CBOM Viewer (CBOMkit Coeus): A web service that visualizes generated or uploaded CBOMs, providing an overview and detailed statistics of cryptographic components within a project.
• CBOM Compliance Engine (CBOMkit Themis): This component evaluates CBOMs against predefined policies, including a built-in quantum-safe check, with extensibility for user-defined criteria.
• CBOM Repository (CBOMkit Mnemosyne): It collects and stores CBOMs, enabling efficient maintenance and retrieval across projects through a RESTful API.

CBOMkit Features

CBOMkit offers several advantages, including:

• Automation: Automates the scanning and documentation of cryptographic usage, reducing manual errors.
• Observability: Provides visualization and statistics for a clear understanding of cryptographic usage.
• Compliance: Ensures adherence to security policies through built-in compliance checks, with room for custom rules.
• Integration: Easily integrates into existing development and security workflows via its API and database.
• Extensibility: Designed for future expansion to support additional languages, libraries, and compliance policies.

Getting Started with CBOMkit

The CBOMkit offers multiple entry points for developers to familiarize themselves with CBOM and manage cryptographic assets effectively. Interested users can visit the GitHub page to explore its capabilities. For instance, developers can run the CBOM Generator on source code to produce a CBOM or use the CBOM Viewer to inspect results.