Why Software Bill of Materials (SBOM) Is Critical To Mitigating Software Supply Chain Risks

Smart firms maintain an up-to-date, credible SBOM for their projects that includes a list of all the open source and third-party components that are used to create high-quality, ethical, and secure code. This article discusses SBOM in greater detail.

August 17, 2022

According to a recent reportOpens a new window on software supply chain risk, SBOM design and implementation investments are given top priority by 48% of organizations in the buyer group. By using SBOM, you can respond right away to the security, licensing, and operational concerns connected with the use of open source software. Let’s learn more about the idea, how SBOM use cases align with SCA (software composition analysis), and why it is helpful in mitigating risks in the software supply chain.

The security sector was rocked by a slew of high-profile security blunders last year, including Kaseya, the SolarWinds hack, and most recently, Apache Log4j. US President Biden issuedOpens a new window a security executive order (EO) outlining recommendations for different agencies and vendors who are involved in business with the government. These guidelines said that companies/agencies must safeguard their software in response to supply chain cyberattacks. One of the suggestions was to include a mandate for SBOMs to guarantee the security of software used by the federal government.

Although the EO is intended for companies that work with the government, these standards, particularly SBOMs, are anticipated to become the norm for how all companies create, test, defend, and use their software applications. Let’s know more about the concept and how it has become necessary in order to protect against software supply chain attacks.

See More: How Supply Chain Woes Are Affecting PC Vendors and What’s Next for the Industry

The Meaning of SBOM, Its Function in Software Supply Chain Risk Management, Applications, and More

What is SBOM?

Jeff WilliamsOpens a new window , co-founder and CTO of Contrast Security, defines SBOM as just a list of the components and services in a piece of software, like the ingredients list on the food we consume. “Under Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, anyone selling software to the Federal government is required to provide SBOMs, and many other companies are also implementing them.” 

Moshe ZioniOpens a new window , VP of security research at Apiiro, explains that SBOM is similar to a supply chain document in manufacturing and product development. “In product development supply chains, the manufacturer uses parts from specific vendors, installs components to build the product, and then tracks a product’s travel history from the manufacturer to the retail store where it’s purchased. Similarly, server machines in a network environment are built using vendor parts that are delivered to the manufacturing plant. The server is built and then travels from one location to another until it arrives at a data center where it’s installed. Every step in this process is a part of the supply chain.”

Williams thinks that SBOM is a great first step to improving transparency and accountability across the entire software security supply chain, but it’s important to remember that they are just a first step towards meaningful security transparency in the software market. “Beyond the ingredients, software consumers deserve a clear understanding of the threat model envisioned for the software, the security mechanisms in place, what security testing was performed, and whether developers were trained,” he adds.

Necessary for the supply chain risk mitigation

The need for SBOM spurred from the understanding that not being in control of a process comes with an uncertain amount of risk, along with the ability to seek compliance, due diligence, etc., mentions Zioni.

Williams put another reason in place. He says, “Reason, why SBOMs are so critical to the software security supply chain is that current-day developers heavily rely on open source code to keep pace with the increasing demands of companies to produce software. However, those same companies are getting pressure to develop SBOMs and increase visibility into the components that make up the applications they’re creating and using each day.” 

“Producing an accurate SBOM can be complex because modern software has a lot of different pieces that all come together on a computer when it runs. Even more complicated is that modern applications have different pieces that run on different platforms and in different environments—often in different languages.”

“Therefore, organizations need a way to produce accurate SBOMs, quickly, which is why the software security tools they use are equally important,” states Williams. He quotes that, on average, only 38% of libraries are attackable, and the remaining 62% are never loaded or invoked by the application. The best tools can focus on these attackable libraries and also provide details about services used by the software, such as APIs and other backend connections.

See More: The Impact of Supply Chain Breakdowns on the Maintenance Department

SBOM use cases and benefits

According to Zioni, SBOM’s use cases vary depending on who is seeking or using it, which can include developers, security and compliance teams, incident response teams, procurement and investors, to name a few. “For software engineers, in particular, it’s critical to have an up-to-date SBOM to understand which libraries are related to which underlying software’s dependencies, supportive processes, inventory, components and more.” 

Zioni says, “Additionally, SBOM is an ideal tool for security teams who require insight into third-party software risks to understand what version they are on, any licensing implications and other dependencies that may be adding to security debt. Lastly, SBOM helps incident response teams by identifying where a vulnerability originated and whether it’s been exploited in order to notify customers quickly.”

With the proliferation of open-source libraries and the mass exploitation of widely used libraries such as log4j, SBOMs can help organizations take control of open source across their application portfolio, says Williams. He adds:

  • SBOMs can help organizations prioritize the riskiest open source use. The first goal is to stamp out the use of libraries with known vulnerabilities. Later, the goal should be to establish a culture of staying close to the latest version of each open source library rather than waiting for a crisis.
  • SBOMs can also be extremely useful in a crisis situation. When a novel vulnerability in a library is disclosed, it’s critical for organizations to be able to quickly and accurately track down exactly where that version is in use across their enterprise. Establishing a database that is continuously updated with SBOM data from all corners of the organization is the key to a quick response.
  • Finally, by making SBOM information available to software consumers, we help to fix the information asymmetry problems in the software market. Consumers with access to full information about application security, including the library information in an SBOM, can make informed decisions and encourage producers to create wonderful software that’s safe to trust with the most important things.

Do you think SBOM can help discover and mitigate an open-source supply chain vulnerability? Let us know on LinkedInOpens a new window , Facebook,Opens a new window and TwitterOpens a new window . We would love to hear from you!

MORE ON SUPPLY CHAIN MANAGEMENT

Ojasvi Nath
Ojasvi Nath

Assistant Editor, Spiceworks Ziff Davis

Ojasvi Nath is Assistant Editor for Toolbox and covers varied aspects of technology. With a demonstrated history of working as a business writer, she has now switched her interest to technology and handles a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation to hardware. Being a philomath, Ojasvi thinks knowledge is like a Pierian spring. The more you dive in, the more you learn. You can reach out to her at ojasvi.nath@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.