Why You Should Rethink Your Software Bill of Materials (SBOM)

Effective management of a software bill of materials (SBOM) has always been important from a cybersecurity and compliance standpoint. The May 2021 executive order on SBOMs and recent House action on the DHS Software Supply Chain Risk Management Act of 2021 has made these management practices even more crucial.

This is why the software industry needs to rethink its approach to SBOMs — and how new management strategies could unlock significant benefits for developers.

What Is a Software Bill of Materials?

Software bills of materials clearly outline the system components of a piece of software, as well as relevant metadata about those components. They effectively provide a “list of ingredients” that shows the software's existing code and the technology it needs to run.

The typical SBOM may include information on open source dependencies, plug-ins, extensions, add-ons, and custom source code. It may also feature version information, licensing data, and details about the software’s current patch status.

Certain standards specify what information must be present in an SBOM. The new executive order on bills of materials requires SBOMs to include:

• A formal list of supply chain dependencies
• Details about open source and commercial software used during development 
• A machine-readable format to enable automation and tool integration

The de-facto industry standard for SBOMs is the Software Package Data Exchange (SPDX) standard. After being rubber-stamped by the ISO in September 2021, many developers now consider it the “official” standard for SBOMs. At the very least, it provides a common, readily understood development framework. 

Why Are SBOMs Necessary Right Now?

Many organizations, like the National Telecommunications and Information Administration (NTIA), are increasingly interested in defining what counts as an SBOM. They are encouraging the development of SBOM processes. 

New laws and government regulations are also pushing developers to reconsider the role of SBOMs. For example, a 2021 executive order mandates SBOMs from developers providing software to the federal government. In addition, the Department of Homeland Security (DHS) Software Supply Chain Risk Management Act of 2021 requires DHS software contractors to certify their products are free of known vulnerabilities and security defects.

SBOMs are also becoming increasingly important for regulatory compliance in many indirect ways. Providing an SBOM to end-users or buyers lets developers demonstrate that their software complies with industry regulations on data protection and user privacy. 

Modern computing environments are also increasingly complex, making knowledge of software components more important and sometimes difficult to obtain. Cloud-first IT strategies are vital for businesses that want to take advantage of cloud resources. 

Depending on the cloud can also introduce new vulnerabilities and require the deployment of cloud-ready software. An SBOM shows end-users how it is constructed, allowing them to better prepare their workload security and mitigate potential threats.

Why Security and SBOMs Work Together

Traditionally, many developers have avoided creating in-depth SBOMs — or creating an SBOM altogether — due to fears that hackers may exploit included information. Security through obscurity, however, is increasingly untenable as a cybersecurity strategy. 

Hackers often already know the information an SBOM provides. Keeping that data a secret is more likely to harm organizations that rely on the software than slow hackers attempting to exploit vulnerabilities.

The average codebase can contain hundreds of open-source software components. Without insight into those components, end-users may not have the information they need to protect themselves. 

Insight into software components can also help streamline risk assessment. A list of dependencies and features enables the user to more effectively respond as new exploits and vulnerabilities are discovered.

An SBOM can also help streamline governance. Compliance with software licenses is much easier when you have a full picture of what you must comply with.

How Software Bill of Materials Supports Secure Development

SBOMs are more important than ever — and a changing regulatory and legal environment may mean they could be necessary for some developers. 

An effective bill of materials can offer security and compliance advantages for end-users. While developing an SBOM takes time, resources, and new workflows, the potential benefits typically make this process worth the cost.