The Software Bill of Materials Secures the Software Supply Chain

Software supply chain digital security is a hot topic, especially after cyberattacks on SolarWinds, Colonial Pipeline and Kaseya. These attacks have exposed the vulnerabilities and risks that exist in the software products and services that organizations rely on for their daily operations. How can organizations protect themselves from these threats and ensure the quality and integrity of software products? One possible approach is to adopt a software bill of materials (SBOM). 

An SBOM is like a list of ingredients for software. It shows what components make up a software product, where they come from, how they are related and what digital security issues they may have. An SBOM can include both proprietary and open-source components, as well as metadata such as version, license and patch status. An SBOM can also be represented in various file formats. Security defenders use the SBOM to identify known vulnerabilities. When an exploit is identified, every SBOM containing the element can be flagged. 

An SBOM can help organizations reduce software supply chain risks by helping them to: 

• Identify and remediate vulnerabilities. An SBOM can help organizations discover and fix security flaws in their software products before they are exploited by attackers. An SBOM can also help organizations respond faster and more effectively to security incidents by providing them with accurate and up-to-date information about the affected components and their dependencies. 
• Verify the integrity and provenance of software components. An SBOM can help organizations ensure that the software components they use are authentic, unmodified and sourced from trusted vendors. An SBOM can also help organizations detect and prevent unauthorized or malicious changes to their software products during development, delivery or deployment. 
• Manage compliance and licensing obligations. An SBOM can help organizations comply with legal and contractual requirements regarding the use of software components, especially open-source ones. An SBOM can also help organizations avoid potential conflicts or liabilities arising from incompatible or unclear licenses. 
• Improve transparency and accountability. An SBOM can help organizations communicate clearly and confidently with their customers, partners, regulators and auditors about the quality and security of their software products. An SBOM can also help organizations demonstrate their commitment to responsible and ethical software development practices. 

The SBOM concept is currently promoted via the U.S. government and several security software companies. Vendors and suppliers to government agencies are highly encouraged to support SBOM initiatives. Organizations supporting federal, state and local agencies are being scrutinized for their commitment to reduce cyber risk. But the concept of utilizing an SBOM to assess cyber risk in software is not exclusive to government applications. 

Who is responsible for creating the SBOM? This varies widely as different organizations have different processes and roles for software development and security. However, some possible roles that could be involved in creating and maintaining an SBOM could include software developers, software architects, software testers and software security analysts. Depending on the size and complexity of the organization, and the software product or service, some of these roles may be performed by the same person or team, or by different people or teams. Some organizations may also have dedicated roles or teams for creating and maintaining SBOMs. The important thing is that there is clear communication and collaboration among all the roles involved in creating an SBOM. 

Organizations exploring the value of SBOMs need time to educate their teams on how to maximize their potential. This includes learning how to gather version information from their software applications. Some organizations have identified challenges such as determining a common structure for the SBOM and how to make it readable to analyze the presence of a vulnerability. Similarly, software architecture and development are not always designed with security assessment in mind. Questions also exist about the use of low-code and no-code tools and whether the burden of risk lies within the software development tool chain or with the organization’s developers. 

However, the benefits of an SBOM outweigh the risks. An SBOM can help organizations proactively manage their software supply chain risks by providing visibility, control and accountability over their software products. An SBOM can also help organizations comply with the emerging standards and regulations that require or encourage the use of an SBOM. Ventana Research asserts that through 2026, less than 1 in 8 organizations will have taken steps to secure the software supply chain and reduce the risk of vulnerabilities from unauthorized or malicious changes. 

There is also value for software-as-a-service (SaaS) application vendors to build an SBOM. An SBOM for a SaaS application can help both the software vendor and the customer in several ways, such as improving security and trust, enhancing transparency and accountability, and facilitating interoperability and integration. Some SaaS application vendors have already built SBOMs for their products and offer guides to incorporate the data into customers’ SBOM management. 

The Biden administration’s cybersecurity executive order has recognized the importance of SBOMs and mandated development of minimum standards and guidelines for their implementation. The National Telecommunications and Information Administration (NTIA) has led a multi-stakeholder process to define and promote SBOM best practices across the software industry. 

SBOMs are a key building block that can support and enhance other security measures. As CIOs and CISOs, you have a critical role to play in adopting and promoting SBOMs in your organization. By implementing SBOMs in your software products and services, you can improve your digital security posture, reduce your risk exposure and increase your competitive advantage. You can also contribute to the broader effort to secure the software supply chain at an industry and national level. 

Regards,

Jeff Orr