William Penfield
Until the 60s, most Americans prepared most of their meals at home. The appetite for pre-packaged food rose in that decade, and the shift in consumer demand resulted in public demand for more detailed product information for nutritional and food safety reasons. This resulted in the USDA mandating that a list of ingredients be placed on all products in 1966. Analogously, the widespread adoption of open source and third-party software in modern applications has precipitated the need for detailed information about the individual components, or ‘ingredients’ of these applications, to ensure more transparency and better security. Enter the Software Bill of Material (SBOM) – the ingredient label for applications.
Part one of our two part series will provide an overview of SBOMs and why you need them.
SBOM Overview
Modern software is incredibly complex – a mixture of custom code and open source components, with the latter making it challenging to accurately assess your software security because of the multiple layers of dependencies they sometimes introduce. The average commercial software codebase utilizes almost 600 open-source components*, and this complexity obscures the pathways through which cyber threats can propagate.
An SBOM is a comprehensive inventory that lists the details and relationships that make up a piece of software, including open-source and third-party components, their licenses and versions, and the dependencies they hold. These dependencies include both direct dependencies as well as indirect dependencies. SBOMs help you to understand what’s included within your software environment, providing visibility into the software components and their origins.
The critical components of an SBOM include detailed listings of all the software parts, libraries, packages, and modules in your application, along with their corresponding version numbers, licenses, and other relevant metadata. This may also include information about the dependencies between these components, patches applied, and known vulnerabilities or associated security advisories.
Dependencies include both direct dependencies and indirect dependencies. Direct dependencies are those that you explicitly specify and include in your applications, whereas indirect dependencies (also known as transitive dependencies) are those that your direct dependencies rely on. Because of the complex web of connections resulting from the latter, SBOMs help you understand what’s running within your software environment, even if you don’t specify something explicitly.
This detailed listing of all the components in your application provides a clear view of what’s in your applications and enables developers, security professionals, and compliance officers to identify potential security vulnerabilities and license compliance issues more efficiently. By providing a clear map of software components, SBOMs enable proactive risk assessment and vulnerability management and also help simplify compliance with regulatory standards.
SBOMs offer a transparent insight into software components, enabling security teams to proactively manage risks by quickly identifying and mitigating vulnerabilities. Beyond enhancing transparency, they serve as the foundational element for securing software supply chains and protecting against risk. It is the first step in ensuring end-to-end software supply chain security and is one of the outputs in the OX Active ASPM platform via our PBOM.
Government Mandates Around SBOM
SBOMs can significantly simplify compliance efforts, too. Global regulatory frameworks are shifting their focus to software security and supply chain integrity in response to an increasing number and cost of breaches. They also help simplify the monumental task of adhering to these mandates by providing a a clear, structured, comprehensive record of software components that can be critical for demonstrating compliance with these standards and regulations.
The United States government recognized the SBOM as the pivotal tool for enhancing transparency and security within the software supply chain by mandating the development, sharing, and utilization of SBOMs across federal agencies and their software suppliers. This decree was communicated through the “Executive Order on Improving the Nation’s Cybersecurity”, which was issued on 12 May 2021. It reflects the federal government’s conviction that SBOMs are crucial for identifying, assessing, and mitigating vulnerabilities and for fortifying the software supply chain against potential threats. This conviction was solidified by a memorandum issued by the Office of Management and Budget on 14 Sep. 2022, which allowed federal agencies to request an SBOM from their suppliers.
The European Union is not too far behind when it comes to specifying SBOM requirements. The EU Cyber Resilience Act (CRA), proposed on September 15, 2022, is the first EU-wide legislation that addresses security requirements for software and hardware companies that have products that connect to the internet. In marked contrast to the U.S. Executive Order, the CRA is applicable to all vendors who sell their products in the EU, not just those that sell to federal agencies. While the CRA has not been passed yet, the sections of the CRA that pertain to SBOMs indicate that companies will be required to gather information about the software components they use, including vulnerability data.
Maximizing SBOM Benefits
Beyond just meeting legal requirements, many other benefits accompany compliance with SBOM mandates. Besides augmenting security measures, SBOMs help to enhance trust and confidence among your clients and partners by signaling your commitment to cybersecurity best practices. Additionally, SBOMs can help streamline software development and procurement processes, reduce the costs associated with vulnerability management, and improve overall operational efficiency. Companies that proactively integrate SBOMs into their cybersecurity frameworks are better poised to handle the complexities of a fully digital age, ensuring sustainable growth and competitiveness.
SBOMs have the potential to improve security through the following avenues:
- Improved patch management
- Proactive vulnerability detection and management
- Integrations
Patch management is crucial for neutering security vulnerabilities, but it’s frequently hampered by a lack of visibility into the specific software components used in applications, and their versions. With the SBOM, organizations gain precise insights into the components that make up their software applications, including third-party and open-source elements. This clarity enables security teams to quickly identify the parts of their software that are affected by a newly discovered vulnerability and efficiently apply patches or updates. By facilitating focused, timely patching, SBOMs not only streamline the patch management process but also drastically reduce your potential attack surface.
SBOMs empower organizations to take a proactive stance towards vulnerability management, instead of merely reacting to security breaches after they occur. The detailed information provided by SBOMs allow companies to scan for known vulnerabilities across their software inventory in advance of an attack. This means that potential security threats can be identified and mitigated before they are exploited.
Integrating SBOMs with vulnerability databases and threat intelligence feeds enhances your ability to prioritize vulnerabilities based on their severity, the criticality of the affected software, and the likelihood of attack, ensuring that your scant resources are deployed more efficiently. SBOMs can also be easily incorporated into Continuous Integration/Continuous Deployment (CI/CD) pipelines, security information and event management (SIEM) systems, and other cybersecurity frameworks. This integration facilitates the automation of security checks, compliance audits, and risk assessments, making these processes more efficient and less susceptible to human error.
SBOM Formats
There are three prominent SBOM formats, CycloneDX, SPDX and SWID. The table below outlines the differences among them.
| Feature | CycloneDX | SPDX | SWID |
| Original Use Case | Designed for application security and software supply chain component transparency | Developed primarily for open source license compliance and intellectual property use cases | Primarily aimed at software identification and asset management in enterprise environments |
| Complexity | Relatively simple and lightweight, making it easy to generate and consume | Can be complex due to its comprehensive nature, covering a wide range of details about software packages | Medium complexity, aimed at detailed tracking and management of installed software |
| Security Focus | High, with a strong emphasis on identifying and managing security vulnerabilities in components | Medium, with a focus on license compliance but includes security information | Low, primarily focused on inventory management rather than security vulnerabilities |
| Developer | OWASP Foundation (Open Worldwide Application Security Project ) | SPDX workgroup within the Linux Foundation | International Standards Organization (ISO) |
Securing the digital pantry
Just as food safety hinges on complete awareness of all ingredients, software security demands a thorough understanding of every component within your applications. The myriad of open-source and third-party components, along with their indirect dependencies, makes it challenging to ascertain the security of your applications confidently. An automated tool that generates a detailed Software Bill of Materials (SBOM), integrated with security tools, vulnerability databases, and threat intelligence feeds, significantly enhances software supply chain security.
Interested in learning more about choosing a platform for your SBOM’s read our second part about which factor to evaluate when choosing an SBOM tool or Book a demo with an expert who can walk you through OX for SBOM’s
