A Deep Dive Into Eracent: SBOM Management, Vulnerability Analysis, and Beyond

Eracent is a privately held IT asset management (ITAM), software asset management (SAM), and cybersecurity solution provider founded in 2000. Their roots trace back to AT&T, Bell Labs, and Lucent’s pre-Y2K initiatives (around 1997-2000), where a core focus was placed on IT asset discovery and protection. Eracent emphasizes their experience with extensive asset discovery during a period with significantly different internet and network connectivity compared to today and have consistently focused on ITAM and SAM solutions throughout their existence. This note features Eracent’s extension into open-source software risk mitigation through software bill of materials (SBOM) management.

Headquartered in Pennsylvania, Eracent has a global presence with an R&D center in Warsaw, formal offices in several countries, and partner coverage in various regions of the world. This structure provides global support and scalability, a plus for organizations with geographically distributed assets. Eracent’s offerings extend beyond core ITAM/SAM solutions. They provide an IT data enrichment library (IT-Pedia™) containing supplemental asset and open-source library information and are currently offering and developing a cybersecurity management suite.

Eracent makes a strong case for the experience of the team involved with SBOM and its deployment and management. Many of those core contributors have a long tenure and institutional knowledge in this area, giving them a thorough understanding of the problem space.

So, who’s likely to need an SBOM? Do you need to identify the origin of every code line within a product? Do you need a developer’s or user’s perspective?

Some common stakeholders:

• Procurement: Evaluates products for vulnerabilities and licensing issues before deployment, securing the enterprise software supply chain.
• Cybersecurity teams: Analyze deployed solutions to understand potential vulnerabilities, risks, and licensing concerns.
• Software developers: Internally create SBOMs to identify potential risks from open-source licenses, criticality of components, and obsolescence within their applications.

Source: Eracent Analyst Briefing Deck June (2024)

This highlights an SBOM’s value across different departments within an organization. I appreciate the fact this tool eliminates unknowns and supports many integrations with existing security tools eliminating data silos.

Eracent highlights three key challenges addressed by their SBOM solution:

1. Vulnerability management: Advanced vulnerability identification (SBOMs help identify these hidden vulnerabilities) within software components (libraries) beyond what traditional security tools might detect.
2. Open-source software risks: Eracent addresses the risks associated with open-source software, including version tracking, licensing issues, and potential vulnerabilities within open-source libraries used in commercial products.
3. Compliance with mandates and directives: With the growing trend of government mandates and directives around the globe requiring the use of SBOMs, Eracent’s solution can help organizations comply with these evolving regulations.

Two adoption drivers that come to mind are the New York Department of Financial Services (NYDFS) Section 500 regulation and Executive Order 14028, highlighting the increasing prescriptiveness of these mandates regarding SBOM adoption. This focus positions Eracent’s SBOM solution as a tool to address vulnerability management, open-source software risks, and compliance with emerging SBOM regulations.

Eracent dives deeper into the concept of open-source software risks, focusing on two main areas:

1. Technical risks: They highlight the potential security risks associated with outdated or poorly maintained open-source code within an organization’s software stack. They also emphasize the importance of proper open-source component lifecycle management.
2. Licensing risks: Eracent explains the varying levels of risk associated with different open-source license types. Permissive licenses offer greater flexibility, while restrictive licenses can impose limitations on usage, modification, and distribution. Crucially, non-compliance with license terms can have legal or financial repercussions.

Eracent emphasizes the importance of understanding license types before adopting open-source software, both for commercial vendors and internal development teams. They went on to recommend incorporating open-source license review into the proof-of-concept stage of the software selection process. This proactive approach helps identify potential risks upfront and ensures informed decision-making.

Eracent positions their solution as catering specifically to the needs of "software consumers." This refers to organizations that primarily procure and manage software from vendors, rather than focusing heavily on internal development.

Some of the benefits for consumers:

• Consolidated SBOM management: Aims to consolidate SBOMs from various software vendors in one central location, simplifying analysis, management and reporting.
• Compliance support: Assists organizations in meeting compliance requirements related to open-source licensing, obsolescence, and current and potential future mandates that include SBOM-related requirements.
• Data, reporting, and analysis: Offers comprehensive data, reports, dashboards and analysis of SBOM information to facilitate informed decision-making.

Eracent touts constant monitoring and updating of their solution, leveraging vulnerability data from various industry standards to keep their SBOM information current.

Eracent introduced their SBOM Manager™ as a key component of their solution. They highlighted several features that differentiate their approach:

• Centralized SBOM repository: Eracent manages the content of SBOMs from various sources in a central repository. This eliminates the need to review individual SBOMs for each software product, streamlining vulnerability identification.
• Customizable SBOM enrichment: Customers can upload SBOMs and add relevant data points like publisher, line of business, and application component.
• SBOM deconstruction and mapping: Eracent’s SBOM Manager "deconstructs" uploaded SBOMs, extracting component and library information. This allows for identification of all products within an organization that use a specific library, even if used across multiple vendors.
• Vulnerability identification and reporting: By mapping components across products, Eracent’s solution can quickly identify all instances of a vulnerable library within an organization’s environment.
• Integration with discovery and mitigation tools: Eracent shared that the SBOM Manager can export vulnerability data to be used by existing discovery and mitigation tools within an organization’s security posture.

In summary, Eracent’s SBOM Manager focuses on centralized SBOM management, data enrichment, and efficient vulnerability identification and remediation.

Source: Eracent Analyst Briefing Deck June (2024)

Eracent discussed several functionalities related to ownership, version tracking, and mitigation within their SBOM solution. Eracent leverages vulnerability data from multiple sources, including industry standards and potentially internal feeds. This comprehensive approach aims to provide a more complete picture of potential risks. The solution assigns risk scores to vulnerabilities, considering factors like potential impact and prevalence across the organization’s environment. There is good visibility into license types associated with components within SBOMs, which allows for informed decision-making regarding license compliance.

Eracent’s SBOM management tracks component versions within products. This enables identification of outdated components and facilitates upgrade planning to address potential security vulnerabilities or obsolescence issues. Their IT data enrichment library, IT-Pedia, includes information on open-source libraries, including versioning details that provide additional context for managing open-source software risks.

When our discussion moved to security frameworks, Eracent shared that their tool allows organizations to map their SBOM data and security processes to various security and IT management frameworks, such as NIST Cybersecurity Framework (CSF), ISO 27001, and ITIL. The tool can be used with various security frameworks, providing flexibility for organizations with existing compliance requirements. It can also facilitate documenting and managing proactive security processes, including ownership, procedures, discovery tools used, and execution frequency. Lastly, the tool helps map assets identified within SBOMs to the broader IT landscape, providing context for their usage and offers RBAC functionality for managing access to SBOM and security process data within the platform.

Source: Eracent Analyst Briefing Deck June (2024)

Eracent positions itself as different from competitors in the SBOM space by focusing on "software consumers." They acknowledge several competitors but categorize them as primarily catering to application development teams. Eracent suggests most competitors focus on SBOM generation and vulnerability analysis during the development process, targeting app development teams. Eracent once again emphasizes catering to software consumers who need to control their software supply chain, manage SBOMs from various vendors, and prioritize vulnerabilities within their deployed software environment.

Source: Eracent Analyst Briefing Deck June (2024)

When asked about some of their competitors, we talked about Dependency-Track, CAST, Snyk, Sonatype and JFrog. These are established players in the vulnerability management space, but Eracent asserted their SBOM functionalities might be less comprehensive. Of course there are smaller players in the SBOM space with different areas of focus and a narrower set of functionality.

Source: Eracent Analyst Briefing Deck June (2024)

Eracent prioritizes "software consumer" organizations (90%+) over software publishers and developers. However, they acknowledge their first client is a large software developer who also consumes a significant amount of third-party software. Eracent offers a subscription-based model for accessing their SBOM management solution, following a cloud-based (SaaS) deployment model, although on-premises deployment options are available. The subscription model includes ongoing monitoring of uploaded SBOMs, leveraging vulnerability data feeds to identify potential risks within the software components.

Source: Eracent Analyst Briefing Deck June (2024)

The analyst briefing turned into a demo, and I was able to see the SBOM Manager user interface (UI) which highlighted some potential functionalities for vulnerability and obsolescence management:

• Vulnerability dashboard: The UI offers a dashboard displaying a high-level overview of vulnerabilities within the organization’s software environment. Users can filter vulnerabilities based on:
  • Severity: Critical, high, medium, low, or non-critical vulnerabilities.
  • Line of business (LoB): View vulnerabilities affecting specific business units within the organization.
  • Most affected modules/libraries: Identify the software components most impacted by vulnerabilities.
• Vulnerability trend analysis: The dashboard allows users to track trends in vulnerability identification over time. Ideally, the number of vulnerabilities should decrease over time as mitigation efforts are implemented.
• Drill-down capabilities: Users can delve deeper into specific vulnerabilities to gather details such as:
  • Affected component or library
  • Current version and release date
  • Latest available version and release date
  • End-of-life information (for obsolescence analysis).

I was pleased with the availability of additional dashboard filters beyond LoB and severity. The level of detail provided for each vulnerability within the drill-down functionality seemed useful, and the SBOM Manager can integrate with other security tools for vulnerability remediation workflows. Eracent discussed the importance of LoB involvement in developing their SBOM solution. They collaborated with a large European banking institution during the development of the SBOM Manager. This collaboration helped ensure the solution catered to the specific needs of "software consumers" within the financial services industry.

The dashboard offers insights into the licensing landscape of the organization’s software components, potentially highlighting weak or strong copyleft licenses, which may impose restrictions on usage or modification. Users can delve deeper into specific licenses to understand the potential implications for each component.

The UI provides an overview of uploaded SBOMs, including:

• Processing status: Tracks the progress of SBOM uploads and identifies any issues encountered during processing.
• Component recognition: Highlights unrecognized components or versions within uploaded SBOMs.
• Format validation: Checks the validity of the SBOM file format itself, identifying any formatting errors that might hinder processing.

Acknowledging the dynamic nature of vulnerability data and the need for continuous improvement, Eracent mentioned that they use "weather reports" to compare their vulnerability scoring accuracy with other tools. In the same vein, Eracent maintains a broad repository of open-source libraries, potentially including not only those identified within uploaded SBOMs but also a wider range from various sources (e.g. Git, Maven, PyPI). This comprehensive approach allows for proactive vulnerability identification even for libraries not yet discovered within an organization’s environment.

Eracent introduced their IT-Pedia as a key vulnerability data management component. They went on to mention it serves as their consolidated database for vulnerability information associated with software components. On numerous occasions I heard the emphasis on their commitment to accurate vulnerability data by avoiding reliance on solely community-driven vulnerability sources and validating CVSS scores by cross-referencing with other vulnerability databases.

Eracent educated me on the importance of data source validation for vulnerability scoring and SBOM accuracy. They went on to criticize browser extensions and potentially other community-driven approaches to SBOM data collection. They raise concerns about data quality and potential inaccuracies, highlighting the importance of using validated vulnerability data sources to avoid false positives in vulnerability scoring. They confirmed they go the extra mile to verify CVSS scores through cross-referencing with different vulnerability databases.

Our Take

Overall, Eracent’s SBOM Manager offers functionalities that can be valuable for software consumers managing vulnerabilities, licenses, and security processes across their software environment. Some clearly valuable capabilities are gaining a centralized view of vulnerabilities across various software components within the organization’s environment, prioritizing remediation efforts by focusing on vulnerabilities with the most significant potential impact and improving license compliance by identifying potential licensing issues associated with software components. Of course, the icing on the cake is streamlining SBOM management through a central platform, including upload, analysis, and ongoing monitoring.

Want to Know More?

Best IT Asset Management - Enterprise (ITAM) Software 2024

Best Vulnerability Management Tools 2024

Eracent IT Management Center Customer Reviews 2024

Implement Risk-Based Vulnerability Management