Getting Started with SBOMs: The Basics

Written By Mike McDonel

If you feel like you’ve been hearing more about software bills of materials (SBOMs) recently, you’re not imagining it. Software supply chain attacks have grown by over 700% since 2019 and, after a number of high-profile security incidents in the last few years, there’s a rising interest in SBOMs and the role they can play in keeping companies safe from cybersecurity-related threats. 

What exactly are SBOMs, and why do they matter?

An SBOM is a comprehensive inventory of a software project’s dependencies and associated information (such as license and version information). Put a simpler way: think of SBOMs as a list of ingredients that spell out the components inside a given application. 

The benefit of having an SBOM is that it gives companies visibility into the software they’re purchasing — which, in turn, reduces supply chain risk by making it easier to manage, identify and respond to potential vulnerabilities. This is why some organizations, especially at the enterprise level, choose to introduce SBOM programs as a way to strengthen their security measures. 


Three use cases for SBOM programs

All of this may sound hand-wavy in the abstract, but there are immediate, high-impact use cases for establishing an SBOM program. 

1. Incident response

In December 2021, a bug was identified in Log4j, a logging library used by a wide range of applications and services — from well-known consumer apps to massive enterprise platforms. Vulnerabilities are exposed every year, but what made this incident especially alarming was that Log4j is a popular open-source library, which means it was being used in a lot of places by a lot of software vendors and, as a result, it was challenging for companies downstream to quickly determine their own exposure.

Many enterprises will generate an inventory of individual software components using composition analysis tools. The problem: these organizations will rarely know all the upstream dependencies of each software component, especially those from third-party vendors. This is less of a problem if you work with only a handful of software vendors. But it’s a huge problem if, like most enterprises, you work with hundreds and a bug like Log4Shell is identified. 

What ended up being months of hair-on-fire phone calls to vendors, emails to engineers, urgent board meetings, and numerous excel spreadsheets could have been mitigated — or even prevented — by an SBOM program. Given that 96% of apps include some kind of open source software component in 2023, these types of vulnerabilities will only continue to be a major threat that companies need to anticipate.

2. SBOMs for Third-party risk management

Most enterprises have a process for bringing on third-party software vendors. If you’re a healthcare company, for example, you might have a due diligence questionnaire that asks questions like, “Do you do background checks on your developers?” “Have you been FedRAMP certified?” “Do you have a SOC2 certification?”

While these are essential things to know, they don’t answer the fundamental question of what's inside the software you're about to deploy into your environment. Even though the industry is starting to see a growing call for vendors to disclose what's inside their software, it’s not a widespread practice yet. Having an SBOM program in place, where you establish a protocol for eliciting the right information from vendors, can help you manage that third-party risk. 

3. SBOM Compliance

As the idea of SBOMs gains more traction, there's an increasing number of regulatory requirements both in the United States and abroad. For instance: 

  • In May 2021, Executive Order 14028 was signed, which said that software vendors would eventually be required to provide SBOMs to any government agency they wanted to sell to. 

  • In September 2022, the EU proposed the Cyber Resiliency Act, which is slated for passage in spring 2024 and is going to require EU-based companies to start generating and collecting SBOMs.

  • In December 2022, the FDA came out with a regulation that says they won’t approve any new software-enabled medical devices, unless the pre-market submission is accompanied by an SBOM.

  • Earlier in 2023, the EU cybersecurity rules that were introduced in 2016 were updated by the NIS2 Directive, which adds more rigor to supply chain security, compliance, reporting and risk management — all issues that relate directly to SBOMs. 

The problem with these regulations is that there's so much competing legislation that the question of compliance becomes convoluted. For instance, if you have a multinational company based in Columbus, Ohio but have a regional office in Northern Italy, are you subject to EU regulations?

Not knowing how to answer questions like these can cause a lot of problems — from blocking your company on the sales side if you don’t have the proof of security your customers want to see to leaving your organization susceptible to cybersecurity threats. A well-run SBOM program, especially in tandem with a management platform, can help you prepare for or directly provide the artifacts you need to demonstrate compliance. 

As evidenced by the last few years, SBOMs will only continue to be the subject of increased regulation, discussion and attention. If you don’t already have an SBOM program in place, now may be the time to start thinking about those next steps. 

Mike McDonel
Previous

What the NIS2 Directive Means for SBOMs
Next

On Our Air Force AIBOM Award