Software bills of materials, the ingredient lists for software, are important elements to companies’ cybersecurity strategies, but only if they use SBOMs effectively to manage risk, Georgianna Shea and Logan Weber of the Foundation for Defense of Democracies write.

Organizations from startups to government agencies use opaque software code that could put them at risk of executing malicious programs. This code largely comes from open-source repositories without sufficient security processes.

A software bill of materials, or SBOM, plugs that gap by acting as an evolving list of ingredients for software, increasing transparency into the components at the beginning of a program’s lifecycle and serving as the basis for continued vulnerability monitoring. SBOMs can help governments and businesses manage risk, but only if they know how to use them.

There are four key steps that every organization must take to use this tool to improve security.
SBOM Development

The US government, industry, and academics have worked together over the past five years to develop guidance on how to generate and exchange SBOMs between vendors and their customers.

After the December 2020 revelations about a years-long Russian cyber espionage campaign that penetrated US government agencies by compromising software provider SolarWinds, the White House kicked this collaboration into high gear in May 2021.

This included tasking the National Telecommunications and Information Administration with developing a standard for the minimum elements SBOMs should include, and the National Institute of Standards and Technology with providing guidance on how to secure the software supply chain by using SBOMs.

After completing this task, NIST also published updated guidance on supply chain risk management, which noted that SBOMs can help manage organizational risk by improving the transparency of software assets.

These standards and guidelines have clarified what information SBOMs should provide to customers and how software companies can implement processes to ensure the security of their code during its development process.
Fallout From Log4j

In the meantime, however, researchers discovered what US cyber chief Jen Easterly called likely the “most serious” software vulnerability she had ever seen, embedded in hundreds of millions of devices around the world. The Log4j vulnerability underscored the urgency of SBOMs which would inform users if their products contained it, she explained.