Perspectives

Available designs:

  • Design list cards
  • Design list cards filtered
  • Design list cards Expertise Business Sector
  • Design single block article vertical
  • Design horizontal imgRight
  • Design horizontal imgLeft
  • Design horizontal overlay imgRight
  • Design horizontal overlay imgLeft
  • Design horizontal detailed page

Please note 

  • Recommended thumbnail size: W440 x H325 px
  • Recommended banner image size: W1550 x H515 px 
  • Add class _next for NEXT design

 

Design list cards (directly on the page)

Design list cards (Next)

Design list cards filtered (directly on the page)

Design single article vertical (in grid-x2 or grid-x3)

Design horizontal imgRight (directly in the page or in a section)

Design horizontal imgLeft (directly on the page or in a section)

Design horizontal overlay imgLeft (directly on the page or in a section)

Design horizontal overlay imgRight (directly on the page or in a section)

Design detailed page

Sopra Steria and Eracent: Enterprise-Grade SBOM Management for Strategic Resilience

by Alban Nogues - member of the technical department, Sopra Steria Group
| minute read

A strategic partnership with Eracent enables Sopra Steria to anticipate regulatory requirements and transform vulnerability management into a competitive advantage.

In late 2021, the Log4j vulnerability exposed vast swathes of global software to exploitation, prompting a fundamental question: what, precisely, is contained within your software? At Sopra Steria, this triggered a strategic reassessment that culminated in the adoption of an enterprise-scale approach to software composition analysis.

Three years ago, the company partnered with U.S. specialist Eracent to implement an enterprise-level Software Bill of Materials (SBOM) management system now marketed as SBOM-HQ™. This was done not as a reactive measure, but as a strategic anticipation of European regulations such as the Cyber Resilience Act expected in December 2027.

"It's counter-intuitive to say that software ages," explains Alban Noguès, member of the technical department for Sopra Steria Group. "But software components, libraries and dependencies do age. Between the moment we release software and today, hackers or maintenance teams discover vulnerabilities. That's what aging means: progressively increasing exposure to external vulnerabilities."

From project to enterprise: a challenge of scale

Open-source SBOM tools exist, but they are designed for individual projects and are poorly suited to operations spanning 51,000 employees across multiple countries and thousands of IT projects. As both a software publisher and systems integrator, Sopra Steria Group needed visibility over the software it develops, including world-leading products such as HR Access and the Real Estate suite, and the third-party software it integrates.

"What we've built addresses needs from project level right through to enterprise governance," says Noguès. "When presenting the monitoring dashboard to one of our major software subsidiaries, I could show the complete risk exposure status across the entire company."

To support the group, Eracent emerged as the ideal partner thanks to IT-Pedia®, its proprietary database containing over 10 million referenced software and hardware components. Built on this foundation, the company has developed the capability to apply the same rigour to open-source software as to commercial equivalents. The partnership includes weekly touchpoints and four annual releases incorporating user feedback.

Initial deployment took six months. Today, a medium-sized application can be deployed in two months. The SBOM-HQ platform currently monitors 1,500 software assets in real time with 75 users across our software solutions, with peaks of over 4,000 simultaneous assets for nearly 500 users.

The results are compelling: during the first 18 months, Sopra Steria eliminated a significant number of critical vulnerabilities from its software portfolio. But the impact goes beyond risk mitigation at a given moment. It enables historical tracking of risk coverage over time and allows us to anticipate rather than react to vulnerability patches. Crucially, it supports the coordinated remediation of issues across multiple components simultaneously, rather than addressing them in isolation.

This defensive capability comes with a proactive, compelling commercial argument: "When you show clients they're using a 15-year-old version with documented vulnerabilities, whilst the newer version fixes everything, you develop a very powerful pragmatic case."

The CRA in Sight

The Cyber Resilience Act, scheduled to go into force in December 2027, will require free patches for five years with penalties of 1 to 2.5% of annual turnover for non-compliance. SBOM-HQ implementation therefore positions Sopra Steria ahead of the curve.

"For a group of our size, we must prepare now," warns the expert. "The CRA follows the same pattern as GDPR: managing your assets and communicating breaches rapidly is mandatory."

Beyond compliance, the platform facilitates portfolio rationalisation. "For software that's been in production without version upgrades for some time," notes Noguès, "SBOM analysis has opened transparent conversations with clients about necessary version upgrades. And our partners appreciate this honesty."

Three Key Lessons

The Sopra Steria-Eracent partnership offers a model for transforming vulnerability management:

Think at enterprise level: Software security requires corporate-level visibility and governance, not merely project-level solutions.

Favour partnership: Co-creation with suppliers bringing specialised intelligence and continuous evolution is more effective than one-off tool purchases.

Anticipate regulation: Preparing today for future requirements creates competitive advantages in terms of reduced risks and enhanced credibility.

"The subject isn't sexy," admits Noguès. "But once you understand how it transforms software lifecycle management, you realise it's not just about risks or penalties. It's about building the trust that underpins every software transaction."

About the Partnership

Sopra Steria deployed Eracent’s SBOM-HQ (a module of the broader CyberMSuite) in SaaS mode in 2022. The solution draws on IT-Pedia (10 million+ referenced components) and evolves through quarterly releases informed by Sopra Steria feedback and emerging regulatory requirements.

Learn more about Eracent and SBOM-HQ at sbomhq.com.

Search
Alban Nogues

Alban Nogues

member of the technical department, Sopra Steria Group

More about Alban Nogues

cybersecurity

software

Related content

AI on the frontline in Iberpay's fight against financial fraud

Incorporating AI into Iberpay’s fraud prevention tool Payguard has improved fraud detection and payment efficiency across Spain and beyond 

Striking a balance between innovation and resilience in the banking sector

Balancing product development, security and compliance is a challenge for banks. Erwan Brouder, our Deputy Head of Cybersecurity, gives us his analysis.

As banks look to use generative AI, can they move quickly enough?

Banks must rapidly embrace generative artificial intelligence to stay competitive amid tech disruption 

  • Design carousel will be replaced by design list cards
  • Design single article horizontal will be replaced by design horizontal imgLeft