Security-focused groups OpenSSF, CISA and DHS have announced they are teaming up on a new open source project to help secure software supply chains: Protobom.

The project is a collaboration of the Open Source Security Foundation (OpenSSF), the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security’s Science and Technology Directorate (DHS S&T).

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently,” said Allan Friedman, senior advisor and strategist at CISA.

Protobom allows companies to read data from software specifications (SBOMs), create their own SBOMs, and translate SBOMs into a variety of standard formats.

According to OpenSSF, there are many SBOM formats and schemas, which can be challenging for companies. The goal of the new project is to provide “a format-neutral data layer on top of standards that allows applications to work seamlessly with any kind of SBOM.”

“Protobom is a step towards greater efficiency and interoperability by translating across the widely used formats so that tools and organizations can focus on what’s important. It is a positive solution that helps shape a more transparent software-driven world”, Allan Friedman added.

OpenSSF also explained that by integrating Protobom into applications that link SBOM and vulnerability information, organizations will be able to more quickly access the necessary patches and mitigations to keep their software supply chains safe.

According to Omhar Arasaratnam, General Manager of OpenSSF Protobom will enable organizations to proactively manage the risk of their open source dependencies.