The objective for companies has long been to make the software they use, not third-party software and their own developed software, more secure in order to defend themselves against hacking attacks. This is crucial because not doing so can lead to direct losses or indirect penalties due to regulations such as the GDPR in the EU.
If you want to ensure security, you have to deal with the vulnerabilities of your own software supply chain. A standardized method of making this process easier is using an SBOM—software bill of materials. An SBOM provides information about components in a software package and where vulnerabilities might lie.
What is a Software Bill of Materials?
A software bill of materials is a detailed document that, among other things, provides information about all the components, such as services, middleware, libraries, etc., used in your software. As a kind of bill of materials, an SBOM helps vendors and buyers alike to keep track of components and improve the security of the software supply chain. Which important components should be included in an SBOM? What else should you pay attention to? The answers to these questions and more are discussed in the following sections.
What Are the Advantages of Using an SBOM?
The advantages of SBOMs are not only the rapid identification of possible security risks, as in the case of Log4j, but also the great interest shown by regulatory authorities and companies specializing in end users.
For example, the U.S. government has tasked the National Telecommunication and Information Administration (NTIA) with codifying the minimum requirements for an SBOM as part of Executive Order 14028, “Improving the Nation’s Cybersecurity”. That means companies are coming under more and more obligations to document things like bills of material.
Moreover, software bills of materials can also go beyond security: SBOMs can, for example, help developers keep track of the open source licenses of their various software components, which is important when it comes to distributing applications. Documenting the underlying components may be a difficult task at first. However, in the long run, the ability to create and update an SBOM is also beneficial for all involved.
What Are the Important Components of an SBOM?
In the abovementioned document issued by the NTIA, you can find the minimum requirement or most important components that such a list should contain.
The vendor name includes the name of the entity that creates, defines, and identifies the component. The component name describes the original vendor-assigned identifier of a software unit. The component version is concerned with the identifier used by the vendor in order to mark a change within the software from a previous version.
Other unique identifiers are other distinct characteristics used for detecting components in important databases. An example of that would be the identifier from the NIST CPE Dictionary. Furthermore, an important component of an SBOM is the dependency relationship, which detects the specific relationship between an upstream component X that is featured in software Y. Dependency relationships are especially important for open source projects. The author of SBOM data is the entity that has established the SBOM data. Finally, the timestamp is concerned with a record of the date and time when the SBOM data had been compiled.
Additionally, SBOMs have to meet the following criteria. Firstly, SBOMs must be created in one of the following three standardized formats in order to be machine readable: SPDX, CycloneDX, or SWID tags. Also, each new software release has to be accompanied by a new SBOM in order to be up-to-date. Finally, besides dependency relationships, SBOMs have to provide information to the generating organization on where these relations are existing.
In conclusion, an SBOM plays an important role within companies since it provides detailed documentation on various components of their software. An SBOM contains many different aspects such as the author name, version, timestamp, and dependency relationships. These various aspects of an SBOM do also have to comply with certain standardized relations such as being written in a certain form. In this regard, one can say that an SBOM provides very important software information for anyone who needs to work with that software.