A Software Bill of Materials, often shortened to the acronym SBOM, is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. To put it in everyday language, think of it as a recipe that lays out all the ingredients that go into a software.
In this Help Net Security video, Julie Klein, Director, Global Public Policy at Akamai Technologies, discusses her take on SBOMs.
Julie believes that:
SBOMs aren’t the silver bullet they’re portrayed as. While it’s helpful to know the “ingredients” of software, that knowledge doesn’t necessarily protect a system from malware or a breach.
More needs to be done to protect systems from breaches. The goal of SBOMs is less about proactive and reactive security measures, but rather to provide transparency of components delivered by participants in a software supply chain.
Systems must be layered with security technologies. If the ultimate goal is security, that comes with understanding of the software in a system via SBOM and understanding of how the network is organized. SBOMs can provide supply chain visibility, but should a system be compromised, it’s technology like micro-segmentation that would contain the blast radius.