Topics include Supply Chain Security, Vulnerability Management, Neat Tricks, and Contributor insights.
by Jing Chen, Jesse Ku | 22 October 2024
SBOM stands for “Software Bill of Materials”. This is an important tool for software security and managing risks within the software supply chain. It lists the components used and software dependencies of a software package, including open-source and third-party components, to help developers better understand and manage their software packages (cisa.gov, 2024; L, 2024).
With the modernisation of software relying on numerous third-party components, it’s crucial for companies to know exactly what is inside their software. This ensures security and compliance, as well as effective vulnerability management and quick response to threats.
Here are the uses of SBOMs:
DevSecOps Workflow (Gittlen, 2024)
Maintaining an accurate and up-to-date SBOM, especially in fast-paced development environments, can be challenging. Large software projects may include hundreds of dependencies, making it difficult to manage all the information within an SBOM. SBOMs can be created and managed in the following ways:
The Ortelius project is creating a console that enables users to identify vulnerabilities in software systems and provides enhanced visibility into components such as libraries and microservices, utilised within an organisation. It can consume any SPDX and CycloneDX formatted SBOM to help generate and manage a SBOM in several ways:
Sample SBOM Working Report
Governments and regulatory bodies are increasingly mandating SBOMs as part of cybersecurity frameworks, especially in critical infrastructure sectors. The U.S. Executive Order 14028 mandates SBOM use to secure the software supply chain (gsa.gov, 2021). The UK National Cyber Security Centre, the Australian Cyber Security Centre and the Canadian Communication Security Establishment also published recommendations for SBOM implementation (Poireault, 2024).The SBOM adoption across industries is also increasing, Gartner estimated a 20% increase in 2022 and over 60% of organisations will adopt it by 2025 (Poireault, 2024). Developers and organisations should start implementing SBOMs in their software development processes to stay ahead of security and compliance challenges.
cisa.gov (2024) Software Bill of Materials (SBOM) | CISA. 2024. https://www.cisa.gov/sbom [Accessed: 22 October 2024].
Gittlen, S. (2024). The ultimate guide to SBOMs. [online] GitLab. Available at: https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms/.
gsa.gov (2021) Executive Order 14028: Improving the Nation’s Cybersecurity. 12 May 2021. U.S. General Services Administration. https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/information-technology-category/it-security/executive-order-14028 [Accessed: 23 October 2024].
L, H. (2024) SBOMs and the importance of inventory. 11 September 2024. https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory [Accessed: 22 October 2024].
Poireault, K. (2024) How Organisations Can Leverage SBOMs to Improve Software Security. 14 March 2024. https://www.infosecurityeurope.com/en-gb/blog/regulation-and-policy/how-sboms-improve-software-security.html [Accessed: 23 October 2024].