Do SBOMs Really Make a Difference?
We’re hearing more and more about a Software Bill of Materials (SBOM) as a vital tool for increasing software security. With the federal government pushing the idea, there’s no doubt it will remain newsworthy. One of the key questions about SBOMs is will they really make a difference? And how will they make a difference?
What is an SBOM And Why is it Important for Security?
SBOMs, which are formal records that contain the details and supply chain relationships of the various components used in building software, have garnered lots of attention. In large part because they were mentioned among the requirements of an executive order on improving the nation’s cybersecurity announced by the White House in May 2021.
The requirement is that organizations provide purchasers of software products with an SBOM for each product directly or by publishing it on a public website. Software providers in many cases build products by assembling open source and commercial software components, and an SBOM enumerates these components.
The mandate, which directs the U.S. Department of Commerce and National Telecommunications and Information Administration (NTIA) to publish the “minimum elements” for an SBOM, is seen as a big step toward ensuring the security of software products.
SBOMs can be challenging to create and maintain, and after they are developed they need to be updated whenever changes are made to any application components. These can include code updates, vulnerability patches, new features, and other modifications, and they need to be tracked in real time for the SBOM to be effective.
Furthermore, everything in an SBOM, including all version numbers and licenses, should be auditable. Data must be provided by a reputable source and verifiable by a third party. And there are no clear standards on SBOMs.
Why SBOMs Are Now Critical for Software Security
Even considering the challenges outlined above, there is no question as to the value of SBOMs in the effort to keep software as secure as possible and to prevent vulnerabilities that can lead to damaging cyber attacks such as ransomware.
From the perspective of software development teams, an SBOM can enable developers who rely on open source and third-party components to ensure that the components are up to date and can respond to new vulnerabilities. Faster access to details is essential and being able to identify vulnerabilities quickly can save a lot of time and money on the backend and avoid major revisions in products later.
Companies or individuals who purchase software can use an SBOM to perform vulnerability analyses in order to evaluate the risk a given product presents. This kind of granular visibility matters because it’s valuable for organizations in terms of understanding what goes into their products or those they purchase, and how that might affect security.
The Commerce Department has stated that an SBOM provides those organizations that produce, purchase, and operate software with information that improves their understanding of the supply chain, which in turn provides multiple benefits including the potential to track known and newly emerging vulnerabilities and risks.
And the U.S. Cybersecurity & Infrastructure Security Agency (CISA), part of the Department of Homeland Security that leads national efforts to understand, manage, and reduce risk to the cyber and physical infrastructure, noted that the SBOM has emerged as a major building block in software security and software supply chain risk management.
SBOMs that can be shared without friction between teams and companies are a core software management best practice for critical industries and digital infrastructure.
Further, while today’s SBOMs are not dynamic because they are static documents and do not automatically incorporate updates, the SBOMs of the future will be dynamic. They will eventually become a requirement, especially in organizations that create and update software products regularly.
Future SBOMs will also be integrated into a product’s security lifecycle and be produced automatically at predefined stages. They will also be interoperable, which will lead to greater adoption.