How Are SBOMs Shared? New Findings From A CISA SBOM Survey
In a post published earlier this week, we delved into the sharing lifecycle phases of a Software Bill of Materials (SBOM) from a report the Cybersecurity and Infrastructure Security Agency (CISA) recently released.
Included within the report was a survey on the current state of SBOM sharing among stakeholders, in which 21 organizations provided responses on their approaches. This included organizations that create platforms with a variety of SBOM discovery, access, transport, and storage functionality. There were three methods cited for sharing SBOMs:
- The SBOM is provided directly to the receiver through email or similar informal communication mechanisms that are pre-determined by the SBOM supplier and downstream authors and end users;
- The SBOM resides on the device or system executing the software described by the SBOM
- The SBOM resides in a repository available to software consumers.
Noting that this is not an exhaustive list of transfer mechanisms, the survey provides results from the first and third transport methods.
Approaches in the CISA SBOM Sharing Survey
The email/informal communication approach
The first method, which uses email or similar informal communication mechanisms to share an SBOM, found that the least sophisticated approach is a verbal conversation between a supplier and asset owner over whether the supplier’s asset is impacted by a particular vulnerability.
To understand whether the asset is impacted, the supplier must take the time to have a dialogue with the owner to understand which asset the owner possesses. This person-to-person communication is arguably the least-efficient method based on the amount of time both parties may expend in the process, the survey notes.
In addition to person-to-person communication, survey respondents are using email to transport SBOMs to those who send requests. Several of them view this approach mainly as a stop-gap measure while additional SBOM transport solutions are considered.
The SBOM resides in an accessible repository approach
Many survey participants said they rely on SBOM-sharing solutions that center around using either existing infrastructure or the infrastructure of a third party. Some respondent organizations post SBOMs on existing self-service support websites without requiring user registration. Others are using more sophisticated existing customer web-based service portals that require a login to access and transport technical information, such as SBOMs.
In some cases, respondents use remote file systems such as Dropbox, Box.com, or Amazon Simple Storage Service (S3) to leverage third-party infrastructure to transport SBOMs. They receive either a link sent in an email or login access information to directly access and transport SBOMs.
As SBOMs become more ubiquitous, cloud-based platforms have emerged that allow the storing of different artifacts and provide discovery, access, and transport features so users can share SBOMs. Many of these platforms provide additional higher-end services, such as risk intelligence on software/firmware packages and their associated SBOMs. Survey participants who use different cloud-based platforms noted different ways to discover and access SBOMs, including direct website links and the use of a web portal account.
As you can imagine, these cloud-based platforms offer a variety of different features, including customer subscriptions for automated access to data. Some use more sophisticated technologies, such as blockchain and/or distributed ledgers, to provide access and transport SBOMs and other supply chain information.
Then there are platforms that allow an SBOM owner to use open-source software nodes to discover, access, and transport SBOMs stored on chosen data repositories with other appropriate parties.
How to Decide Which SBOM Sharing Approach to Take
The survey concludes that to drive the widespread sharing of SBOMs, automation and interoperability capabilities must be incorporated within the SBOM sharing lifecycle phases.
It suggests finding ways of lowering the costs associated with the more sophisticated platforms, which will depend on the business needs, as one strategy.
Further, the report observes that “the SBOM sharing ecosystem would benefit from a variety of sharing solutions created by parties seeking to meet stakeholders’ unique circumstances.”
Those solutions should address the circumstances–but also attempt to remove manual processes whenever possible and “steer away from practices that discourage interoperability.”
Given that development continues to create different SBOM-sharing approaches, the report recommends making interoperability between existing and future systems a priority. This will avoid the creation of a variety of SBOM-sharing offerings “that cannot cooperate in the larger supply chain.”
About the author: Esther Shein is a longtime freelance tech and business writer and editor whose work has appeared in several publications, including CIO.com, TechRepublic, VentureBeat, ZDNet, TechTarget, The Boston Globe and Inc. She has also written thought leadership whitepapers, ebooks, case studies and marketing materials.