Software Bill of MaterialsThe EO on Improving the Nation’s Cybersecurity calls out a software Bill of Materials, know why

A software Bill of Materials (SBOMs) is a list of all the open-source and third-party components present in a codebase. An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks.

The concept of a software Bill of Materials derives from manufacturing, where a Bill of Materials is an inventory detailing all the items included in a product. In the automotive industry, for example, manufacturers maintain a detailed Bill of Materials for each vehicle. This BOM lists the parts built by the original equipment manufacturer itself and the parts from third-party suppliers. When a defective part is discovered, the auto manufacturer knows precisely which vehicles are affected and can notify vehicle owners of the need for repair or replacement.

Similarly, smart organizations that build software maintain an accurate, up-to-date software Bill of Materials that includes an inventory of third-party and open-source components to ensure their code is high-quality, compliant, and secure.

Turning Towards Cybersecurity

As software bills of materials gain traction in the federal government, state, local and tribal agencies are likely to also begin using them, an expert said.

The Executive Order on Improving the Nation’s Cybersecurity calls out SBOMs, explaining their usefulness for software developers and manufacturers, buyers, and operators. “An SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities,” the order states. “Buyers can use an SBOM to perform vulnerability or license analysis and those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.”

The biggest value comes when SBOMs are stored collectively in a repository that many applications and systems can query, the order adds.

Currently, organizations looking to find and manage vulnerabilities check the National Vulnerability Database for Common Vulnerabilities and Exposures, but without an SBOM, they have no way to identify the components of a software package. SBOMs would provide a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks.

Why do Organizations Need a Software Bill of Materials?

In 2021 there were several high-profile security breaches, including Codecov, Kaseya, and most recently Apache Log4j. These types of supply chain attacks prompted President Biden to issue a cybersecurity executive order (EO) detailing guidelines for how federal departments, agencies, and contractors doing business with the government must secure their software. Among the recommendations was a requirement for SBOMs, to ensure the safety and integrity of software applications used by the federal government.

Although the EO is directed toward organizations doing business with the government, these guidelines, including SBOMs, are likely to become a de facto baseline for how all organizations build, test, secure, and operate their software applications.

Any organization that builds software needs to maintain an SBOM for their codebases. Organizations typically use a mix of custom-built code, commercial off-the-shelf code, and open source components to create software. As one principal architect of a leading software supply chain provider noted, “We have over a hundred products, with each of those products having hundreds to thousands of different third-party and open source components.” A software Bill of Materials allows organizations to track all the components in their codebases.