While it’s accurate that a software bill of materials (SBOM) lays the groundwork necessary to enhance software security, especially regarding the software supply chain security, enterprises must do more than just deploy them within their environments to get the most out of their SBOMs. They must put them to practical use.
Essentially, SBOMs are machine-readable lists of components and associated data about software that provide a comprehensive view into its composition. They are used by industrial and healthcare organizations to improve vulnerability management and manage third-party software supply chain risks. SBOMs can also be leveraged to strengthen regulatory and internal policy compliance, secure development practices, and help facilitate incident response. But to do so, enterprises must ensure they’re using their SBOMs effectively.
“There is a sentiment that SBOMs add to security,” says Michael Farnum, advisory CISO at technology services provider Trace3. “However, there is also a sentiment that it just adds to the workload of fixing vulnerabilities.”
Much of the latter sentiment stems from improper use of SBOMs and poorly maintained components. Fortunately, that’s a challenge that can be fixed by SBOMs and sound vulnerability management practices.
Chris Hughes, chief security advisor at Endor Labs and cyber innovation fellow at CISA, where he focuses on supply chain security, said that the current state of SBOMs varies depending on the industry, organization, and even specific organizational environments.
“Now, organizations and security leaders are asking how they can use these artifacts to drive down organizational risk and integrate them into broader organizational programs such as cybersecurity supply chain risk management and vulnerability management,” Hughes says.
By integrating SBOMs’ detailed component inventories with real-time enterprise vulnerability data, security teams can more rapidly identify and prioritize software risks within their organizations. This can help streamline patch management but requires a focus on the correct standards, processes, and security toolsets.
“It’s difficult to integrate SBOMs into vulnerability management and secure software development lifecycles if an organization doesn’t have detection and automation. It can be difficult to build into their processes,” Farnum adds.
“Overall, streamlining your SBOM process will help organizations better understand and manage the software components they use, reducing risks and improving the quality and reliability of their software systems,” says Nick Mistry, SVP and CISO at software supply chain security company Lineaje.
To optimize their SBOM use, organizations should focus on managing SBOM standards and automating SBOM integration with their vulnerability management tools. In doing so, they can more readily determine the exploitability of vulnerabilities and the risk-specific vulnerabilities they pose to their organization.
Of course, the challenge here is orchestrating SBOM data with vulnerability managers and software composition analysis tools. Fortunately, these tools are increasingly working better with SBOM standards, such as SPDX and CycloneDX.
SPDX, the software package data exchange standard, developed by the Linux Foundation, is a comprehensive framework allowing file-level analysis and detailed license information. In contrast, the CycloneDX standard, developed by the OWASP Foundation, is flexible and supports formats such as JSON and XML. While SPDX currently has a more extensive ecosystem, CycloneDX’s ecosystem is expanding. Some organizations today have decided to use both standards to ensure future compatibility.
“We still have a lot of room for improvement around what should be done with these artifacts and how,” Hughes concludes. “Organizations are still seeking guidance and learning how to ingest, enrich, analyze, and report on findings from SBOMs at scale in large enterprise environments,” he says. Fortunately, as SBOM use and maturing grows along with security industry vendor support, so will the value enterprises gain from their use.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.