today I'm going to introduce you to our software bill of materials or esbal solution including how it interacts with our vulnerability response products in the service now platform but first let's be clear about what an esom is an esom is a file generated from one of many generation tools that exist which captures the component parts of an application into a Json file this includes open- source code proprietary code libraries Li lies publisher name of the components and unique identifiers in other words an esom is a machine readable inventory of the thirdparty components used in a software product and the supply chain relationships between them so why would you be interested in using ES bombs in your organization both the United States and the European Union have published requirements stating that if your organization is going to have relationships with them and where your software is in their environment ments an sbom must be supplied to provide further resiliency and awareness for those governments organizations can leverage these mandates to make sure they are also able to ingest es bombs and know what lives in their environments just as carefully as these governmental bodies do note that in the US the Federal Trade Commission intends to pursue companies that fail to protect consumer data due to breaches like log forj if your organization knows that you're using components like log forj via sbom you'd be aware of the vulnerabilities that exist in your environments ahead of time and be able to plan around them effectively with that let's dive into the es bomb solution that service now has for your organization to ingest organize plan and act on ES bombs for your environments welcome to the sbom workspace where you can get an overarching view of the bombs you've ingested and View and manage your risk exposure we have summary widgets at the top showing you vital add a glance information you can see the total number of bomb entities ingested as well as a breakdown by type including application container library or any other type of bomb we can also see how many bomb entities have vulnerabilities and the application vulnerable items created based on your Avi creation rules which we'll show later importantly at the bottom you also have a complete list of all the bomb entities that you've ingested and can click on any one of them to explore them indiv ually let's look at the payment Gateway bomb that was ingested here we can see a quick overview which includes the name of the bomb as well as the classifier in this case it is an application bomb and additional information if contained in the bomb the dependon tab lists all the components in the bomb along with the classifier version group licenses package URL which acts as a unique identifier and bomb entity count which shows you which are the top components used in the environment on the vulnerabilities tab we see information on any cves and a summary for each component that is affected if you have cesa information in your bomb as well you'll find it here including due dates exploit attack vector and skill level lastly the avi's tab displays application vulnerable items related to this bomb these are created upon ingestion of the bomb and execution of a rule if your organization has enabled Avi creation roles these Avis are connected to application vulnerability response Tools in service now making it easy to track between response and ingestion let's look at components next these are all the components in your environment these are tracked as you ingest more and more s bombs two out of the box summary widgets display the number of vulnerable components in your environment by criticality as well as components by license below the widgets is the overall component list this list displays the number of cves that exist for each component which is helpful as you can easily sort the component list giving you a quick idea of how many vulnerabilities exist in your environment and which components have the most vulnerabilities the component list also provides information seen on the bomb itself such as version number license and package URL which acts as a unique identifier for each component you can also see how often the component shows up in your environment with an overarching count of bomb entities and related Avis let's let's drill down into the Dom forj component here you can see an overview of that component a dependency graph showing where this component lives inside your environment and what it interacts with which bomb this component is a part of vulnerabilities that exist for this component and Avis that are tied to the component after being analyzed against the Avi creation rules that exist we've seen Avi show up in multiple places in the workspace now let's show you how they're created and used here is where you manage Avi creation rules that are applied against the S bombs that are ingested when activated these rules will scrape the bombs against whatever configurations and conditions you set to create application vulnerable items your organization can create as many Avis as you'd like via es bombs or you can decide not to it's completely up to you creating these conditions are flexible with however fits your organization best if you want severity of vulnerability you could set that as a condition or if you wanted to make sure Avis are created around specific components you can do that as well lastly let's look at the bomb q and how you can manually ingest s bombs the bomb Q is the part of the workspace where you can manually upload a bomb if you don't have an API handling these uploads for you on a regular basis if you're using an API to do this you wouldn't typically need to use this space to ingest bombs here we can see the ingested bombs in this environment these bombs are processed here in the bomb Q where we can see their status including whether they've been processed successfully or if they've had any errors the widgets provide a quick view of how many bombs have been uploaded in the last 30 days whether the upload Source was manual or automatic and any upload errors in their cause if applicable the system can also ingest bombs for containers libraries and other types like firmware for now the system ingests Cyclone DX formatted files and will soon support spdx as well I hope this has provided you with a helpful overview of our software bill of materials solution that will work in conjunction with your service now vulnerability response products knowing the software components including open source libraries that live in your environment and having the ability to update your records and Remediation processes with this new esbon product will'll provide you with another set of tools so you can effectively act on risks in your environment and ensure your supply chain relationships stay secure available and known thanks for watching