Why an SBOM is Essential for Software Compliance

A software bill of materials (SBOM) can be a powerful tool for enhancing security through improved vulnerability management. It can also help organizations meet their software licensing compliance requirements—no small consideration given how much software a typical organization uses.

License management “was an early use case for SBOM, helping organizations with large and complex software portfolios track the licenses and terms of their diverse software components, especially for open source software,” said the U.S. Department of Commerce in its report on the minimum elements for an  SDOM.

“SBOMs can convey data about the licenses for each component,” the report said. “This data can also allow the user or purchaser to know if the software can be used as a component of another application without creating legal risk.”

An SBOM is useful to organizations that produce, purchase and operate software, the department said. It allows an understanding of the software ecosystem and provides benefits across multiple use cases and users. Among these are the use of SBOMs for inventory, vulnerability and license management.

SBOM programs “help organizations manage their third-party software and OSS [open source software] licenses, which can be quite complex and change over time,” said business consulting firm McKinsey & Co. “This ensures developers are consistently able to determine the permissible use cases for OSS and third-party software, ultimately protecting organizations from financial risk stemming from inappropriate or unauthorized use of third-party software. It also helps compliance teams respond to license claims or audits.”

Most organizations use applications made up of different subcomponents and pieces, the firm said, some taken from OSS libraries, others purchased from third parties and some created and customized by developers. “Each source has different limitations associated with it,” McKinsey said. “For example, OSS and third-party software have licenses that change over time or may have usage limitations. A typical SBOM system surveys, identifies and characterizes these coding elements.”

The Case for Ensuring Your SBOM Enhances Compliance

Failing to comply with software licensing agreements can result in costly fines for unlicensed software. This makes for a strong financial incentive to be in compliance.

It’s relatively easy for an organization to obtain unlicensed software, according to UpCounsel, a legal platform that operates a network of independent lawyers. Many employees unknowingly use unlicensed software and some don’t realize it’s illegal to use and copy software that the company hasn’t licensed, the company said.

Violating license agreements can result in liability for organizations, their officers and directors, UpCounsel said. Using unlicensed software places organizations using it at financial risk, and the copyright owners might choose to seek personal liability against company officers and directors when it becomes clear they knew about or encouraged using unlicensed software, it says.

Security and risk management leaders need to get up to speed on what SBOMs can deliver, not only in terms of managing software vulnerabilities but also in ensuring that their organizations compliant with all licenses.

Want to learn more about licensing compliance? Check out our series on software-related risks. Read Where is Your Risk? Software License Compliance and Other Non-Vulnerability Risk.