The Feds Are Not Giving Up on SBOMs

SBOMs or Software Bills of Material are a way to let customers know what is in your software – kind of like the list of ingredients in food.

The feds came out with an initial SBOM guideline in 2021 and have been working on it since then.

Different people have different takes on SBOMs from it makes it easier to attack a system to it is hard to do. Both are true.

Large companies have joined the feds in demanding it. You do not need to do SBOMs, but you may not be able to sell your product to your target audience if you don’t, so there is the tradeoff.

It also takes some work for companies to digest data in the SBOMs. SBOMs must be provided in a particular machine readable format.

Now CISA has issued an updated SBOM Guideline. While this isn’t a silver bullet, it is a step in the right direction.

The new rules require SBOMs to include information such as component hash and license, the name of the specific tool used to create the SBOM, a timestamp, and other software identifiers, so that defenders can generate a view of each component in their software supply chain.

CISA also recently required SBOMs to be developed using tools like Software Package Data eXchange (SPDX) and CycloneDX.

This is still an “early stage” process, but we have to start somewhere. This requires both better instructions and tools for developers who need to build SBOMs and security pros who need to consume them.

If you either buy software or build software to sell, this is a topic to watch.

Credit: Dark Reading

by