720-891-1663

What IS a Software Bill of Materials Anyway?

The feds are pushing pretty hard to get software makers to create and manage Software Bills of Materials or SBoMs. What the heck is an an SBoM anyway and why is it important.

A very non-technical comparison would be the list of ingredients in packaged food. Let’s say you are allergic to some food, say wheat. You go to the store and buy something for dinner. How do you know if that package contains the ingredient that you are allergic to? You look at the bill of materials on the outside of the food package (which we would normally call the ingredients).

Same thing with software. Recently there was a huge breach due to a vulnerability in a piece of software called Log4j. If your company buys software, how do you know if that software contains the vulnerable Log4j component? Well, if there was an ingredient list, AKA an SBoM, you could look to see if it contains that.

Currently, almost no software comes with an ingredient list, partly because companies don’t want you to know what is inside their software and partly because, in many cases, even they don’t know what is in their software. In addition, keeping the SBoM current takes work.

But the feds want to change that and given how much software the feds buy, they might be able to pull that off.

But lets say you are a software maker. Where do you start? CISA, the U.S.’s cybersecurity agency, recently published guidance of building an SBoM.

A 2021 executive order requires federal agencies to implement SBoMs when DEVELOPING or buying software.

Yes, SBoMs are very useful for internally developed software too. Do you know if the particular version of a particular component of the software you built has a vulnerability? If you built an accurate ingredient list (AKA an SBoM), you could figure that out.

To help companies create and consume SBoMs, CISA has released a couple of documents.

One is the Software Bill of Materials (SBOM) Sharing Lifecycle Report, which helps people understand how to consume SBoMs. That report was produced last year.

The other, called Assembling a Group of Products, explains what should be in the SBoM.

There are also standards and automated tools for SBoMs.

If you sell software to the feds, this is no longer optional. If you care about the security of software that you develop, having an SBoM is an important tool to manage risk.

If you need help with this, please contact us.

Credit: Data Breach Today

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *