The security research and advisory team at TAG Cyber has published a new article in its TAG Cyber Security Quarterly that makes the point that software bill of materials (SBOM) usage is long overdue.
“If food items on the supermarket shelf can list their ingredients, then it makes perfect sense that software driving critical business and infrastructure functions should do the same,” explained Stan Quintana, analyst at TAG Cyber and former head of Business Continuity and Disaster Recovery (BC/DR) services at AT&T.
What is an SBOM
The concept of an SBOM is quite simple: It is a listing of the components used in the code base for some piece of software. Despite this straightforward definition, implementation of an SBOM is much more complex.
Modern software is constructed from custom-built code, commercial off-the-shelf products, and open-source components. Keeping an accurate record and inventory of these building blocks is tough – especially in the context of Agile DevOps processes which support rapid update, change, and maintenance of software products.
During recent discussion with the TAG Cyber analysts, Allan Friedman agreed with the challenge of supporting an SBOM: “We understand that it is easy to talk about SBOM,” he shared, “but more difficult to actually build and use them.”
In addition to NTIA, many other organizations are supportive of SBOM and have shared tools, technologies, and standards that promote the concept in practice. CycloneDX, for example, offers a lightweight SBOM that is designed for application security and supply chain component analysis.
Action plan for the enterprise
Security, software, or procurement teams in enterprise can help to advance the SBOM approach by just initiating the discussion with their software providers. This is a simple and easy step for anyone who believes SBOM will help to reduce software risk.
Software vendors listen to their customers – so any reference to SBOM in the context of a commercial relationship will help to drive adoption. Obviously, the industry cannot shift to a mandatory SBOM ecosystem overnight. But practitioners can drive the concept forward by making clear their support for the approach.
“We are certain that SBOM will help to address many of the weaknesses in supply chain security for software,” explained Katie Teitler, lead analyst at TAG Cyber. “And we are excited to share our research with the community in our April TAG Cyber Security Quarterly.