What Is an SBOM, and How Does It Impact Software Supply Chains?

by Jessica Elliott
What Is an SBOM, and How Does It Impact Software Supply Chains?

The software component supply chain is complex and increasingly relies on third-party code. As a result, vulnerabilities transfer to applications developed by others. However, users aren’t always aware of the elements that make up their software. So when a seemingly unrelated data breach makes news, they may not know it affects them.

A software bill of materials (SBOM) pulls back the curtain. It details each part of your application, including where packages came from (and what version you have) and how it relates to other packages, libraries and projects. SBOMs are quickly becoming essential to cybersecurity programs and a must-have for federally-contracted software vendors. Learn how SBOMs work to understand potential business use cases and benefits.

What Is a Software Bill of Materials?

Consider SBOMs as an advanced ingredient list. They’re structured inventories of software components and their relationships within the supply chain, including patch status, versions and licenses. Basic use cases include vulnerability management, licenses and software inventory. According to the Cybersecurity and Infrastructure Security Agency (CISA), an SBOM “has emerged as a key building block in software security and software supply chain risk management.”

An SBOM lists software dependencies and components, such as:

  • Proprietary code
  • Software libraries
  • Application programming interfaces (APIs)
  • Open-source software projects
  • Programming language frameworks

In manufacturing industries and, more recently, health care, bills of materials (BOMs) are standard. However, the major push toward a software bill of materials standard occurred after the high-profile SolarWinds and Apache Log4j incidents, which affected government security and operations. In May 2021, President Biden issued an executive order for improving cybersecurity, including timelines for enhancing software supply chain security.

SBOM Standards

The Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), published the minimum elements and requirements for SBOMs in July 2021. Any software vendor wanting to sell to the U.S. federal government must submit a software bill of materials or publish it on a public website. While SBOM standards only apply to government contractors, transparency is a value-add in the vendor-customer relationship.

All bills of materials for software must include the following data fields:

  • Supplier
  • Component name
  • Version of the component
  • Other unique identifiers
  • Dependency relationship
  • Author of SBOM data
  • Time stamp

In addition, SBOMs must support automation and be machine-readable, with three formats accepted: software package data exchange (SPDX), software identification (SWID) tags and CycloneDX. Vendors should generate a new SBOM for different software versions. And lastly, the document outlines the practices and processes for vendor policies.

Advantages of SBOM for Businesses

The bottom line is that an application is only as secure as its weakest element. A software bill of materials helps users and developers understand the components affecting security. Indeed, the Open Source Security and Risk Analysis (OSSRA) report states that “97% of commercial code contains open source” code. Yet, in its review of code samples in 2022, “81% contained at least one vulnerability.”

And for vendors looking to build trust with customers in a zero-trust world, the transparency of a software bill of materials increases buyer confidence. Additionally, as seen with the Apache Log4j incident, the Federal Trade Commission (FTC) is willing “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Therefore, providing and securing SBOMs is critical to risk management and cyber resilience.

The benefits of SBOMs include:

  • Regulatory compliance
  • Improved software compatibility
  • Reduced attack vectors
  • Additional customer protections
  • Corporate licensing management requirements

Achieve Transparency by Following SBOM Guidelines

Providing visibility through SBOMs is more than a mandated practice for vendors with government contracts. It’s a best practice for security and compliance teams, developers and business buyers looking to improve security. Learn more about SBOM tools and examples by contacting The Migus Group.

Jessica Elliott is a business technology writer specializing in cloud-hosted and cybersecurity services. Her work appears in U.S. News, Business.com and Investopedia.