This concept should be extended to all your applications as well. Software bills of materials (SBOM) promise many of the same benefits as physical BOMs. Much like their physical cousins, SBOMs list out each component of a piece of software. The process is more complex than it sounds at first because modern software is often a combination of bits of open-source code, APIs, and proprietary code. The inclusion of legacy information—where each component came from and the history of its development—separates an SBOM from a mere receipt.
The growing need for SBOMs
Because of their lucrative appeal, cyber attacks on supply chains continue to grow. Hackers can exploit a weakness to access each company within a software supply chain, locking out users and demanding a ransom. In the same way that a BOM is used to track down a faulty component in a defective motherboard, an SBOM can track down potential code vulnerabilities, trace bugs, and manage licensing and compliance issues.
Who needs SBOMs?
SBOMs were first experimented with by the finance industry as early as 2013. Since then, SBOM usage has grown widely. According to the Linux Foundation, 78% of surveyed organizations intend to adopt the use of SBOMs this year.
Generating your own SBOMs or asking your vendors to supply them will substantially increase your ability as an organization to answer these vital security questions:
- Are we vulnerable to the latest zero-day vulnerability?
- Where precisely in the software supply chain are we vulnerable to this?
Taking the time and care to catalog software components accurately (and update that catalog frequently!) will grant your organization and everyone in your supply chain greater peace of mind.
How do you create an SBOM?
The good news is that the National Telecommunications and Information Administration (NTIA) has been thinking about this concept since 2018. As a result, it put together a site for practitioners to learn about SBOMs. Additionally, the Cybersecurity and Infrastructure Agency (CISA) has created weekly workstream meetings to share SBOM information.
Currently, there are no legal requirements or industry standards for creating an SBOM. However, in 2021, NTIA created guidance that details the elements that go into a Software Bill of Materials:
- Data Fields – This category covers software name, version, supplier name, and relevant licensing info. It also includes a timestamp for the creation of the SBOM.
- Automation – It’s vital to include automation in an SBOM so that other programs can read it and the SBOM can be updated without manual input.
- Processes – Proper processes must be in place for an SBOM to continue gathering data and be accessible.
SBOMs can be created during the software development process. Also, several applications generate SBOMs after the fact using software composition analysis.
Also read: How CIS controls can simplify cybersecurity
Using software bills of materials now and into the future
Software bills of materials are valuable tools in the fight against cyber attacks. They provide transparency for software developers and boost efficiency when debugging. By creating SBOMs, developers can build better customer relationships and maintain healthy software supply chains. And administrators can analyze the risks of adding a new application by reviewing the history of each component.
Cyber defense and malware continue to evolve at a breakneck pace. At OnX, our security experts have their finger on the pulse of the industry. We have the know-how to secure your software supply chain and maximize your cyber defense efforts. Have questions about SBOMs or cybersecurity? Get in touch.