Software bill of materials for dummies
A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. A software Bill of Materials (SBOM) is a list of all the open source and third-party components present in a codebase.
Its similar to looking at list of ingredients when you buy some eatable. This list includes material, quantity etc. This is useful incase someone is allergic to some component. Most of the times this is 100% precise, else they are liable to fines. Some security professionals have even suggested just referring to it as a “software ingredient list”.
Another example of SBOM type is automative industry. The parts for any car are from various companies, as single car company cannot build all the parts. The BOM( Bill of materials) of automotive industry tells where each of those parts came from, detailing every component that makes your car run. Suppose a particular batch of parts, for example, battery, has been recalled by the company that produced them. In that case, your car’s manufacturer can refer to the BOM to know which cars that particular batch of battery ended up with quickly so that it can take action on those affected vehicles.
Now relate this to software industry where no single software company codes everything, they use open source, external tools etc. So a SBOM type of list will be very useful in security teams prioritizing remediation based on presence of a vulnerable vendor, version or package. Other benefit will be to product development team’s developers in managing dependencies, identifying early security issues, and ensuring that developers are using approved code and sources. When a third-party library has a known common vulnerability, if you have an SBOM, you can figure out quickly if the software is affected or not. I hope these examples helped co-relate the importance of it.
With the increasing use of third-party open-source libraries to build containerized, distributed applications, it’s more and more challenging to know exactly what parts are in your software. That’s why SBOMs are becoming more and more popular. Every time a new vulnerability appears in the landscape, we usually need to spend a lot of time and effort to detect the real impact on the applications and services that are running in environments. A piece of software is a black box with respect to the packages and libraries assembling it. SBOM was also among the tools for securing software supply chains mentioned in Executive Order 14028, issued by the Biden Administration in May 2021, which mandated a new baseline of software security standards used by the US federal government.
