What is a SBOM?
A Software Bill of Materials (SBOM) is a formal and machine-readable comprehensive inventory of components, libraries, and dependencies used to create a software application. A well defined SBOM includes both the supplier / manufacturer developed components and third-party components (including purchased software and open-source software), and the upstream software dependencies that are required/depended upon by proprietary, purchased, and open-source software.
A SBOM helps facilitate risk management processes by providing a mechanism to identify software and devices that might be affected by vulnerabilities in the software components, both during development and after it has been deployed.
It includes information on origin, versions, licenses, and other attributes and is a key transparency component in securing the software supply chain.
SBOM benefits for software and device suppliers
Regulatory Compliance: As an example, FDA recommends that premarket submissions include SBOM documentation. Executive Order 14028 is mandating SBOMs for software being sold to the US Government.
Visibility: Easier for developers to understand dependencies across components and deliverables.
Easier to monitor for vulnerabilities: Reduces detection and remediation time. This means quicker response to zero-day vulnerabilities.
Decrease license compliance risk: Manage software licensing (including constraints on use) for included components.
Mitigate component risk: EOL implications, Build “Reject” / “Allow” list of components.
Facilitates open source software usage: Reduce anxiety about using OSS, Increase speed of development, decrease risk.
SBOM benefits for software and device consumers
Addresses reporting and compliance requirements
Risk based decision making
Quicker identification and mitigation to zero-day vulnerabilities
High Assurance: Understand provenance of software components
20 Questions to consider as you build your Software Bill of Materials initiative:
Design
What is the driver of your SBOM program as a software producer?
Baseline inventory of your software dependencies
Customer requirement
Validation of software integrity
Regulatory compliance
License compliance
Vulnerability monitoring and management
All of the above (recommended)
What is the driver of your SBOM program as a software consumer?
Check for “SBOM drift” – Unexpected changes in the contents due to malware
Legal and license compliance
Security analysis
Policy compliance
Customer requirements
Regulatory compliance
When do you generate your SBOM as a producer?
During Build (recommended)
After build process using binary analysis
Not sure
What is the format of your SBOM?
SPDX (most common)
CycloneDX
SWID
Text file
Create
Do you produce SBOM for each product identifying component dependencies?
Yes, for all (recommended)
Only for on-premise software
Only for on-premise and cloud based software
Have not determined the product type scope for SBOM generation process
What dependencies are included as part of the SBOM creation?
Direct dependencies only
Transitive dependencies (recommended)
What is the included as part of your SBOM generation process?
Libraries
Frameworks
Third party components
All of the above (recommended)
Is your SBOM compliant with NTIA minimal requirements for data to be included in the SBOM? (The requirements are higher for FDA pre-market approvals)
No
Not sure
Do you request SBOMs from suppliers or generate it yourself?
Generate it internally
Request from supplier
Do both (recommended)
Neither
Is SBOM generated automatically as part of your DevOps toolchain?
Yes (preferable)
No
Possibly in the future
How do you validate that SBOM is complete?
Which tool do you use to generate the SBOM as part of the build process?
Microsoft
CycloneDX Maven Plugin
Kubernetes BOM
SPDX SBOM
Syft
Other
Don’t generate SBOM as part of build process.
Which tool do you use to generate the SBOM as part of the post build process?
Synopsys BlackDuck
Jfrog Xray
Snyk
Contrast
FOSSA
MergeBase
other
Manage
Do you have a central repository to manage and store all SBOMs (supplier, internal and externally delivered) across your organization for visibility and compliance purposes?
Yes
No
In process of building
Possibly in the future
What resource do you use to map SBOM components to known vulnerabilities?
Open Source Vulnerability (OSV) database
Github advisory database
NVD
Are you hesitant to share SBOM with your customers due to proprietary information concerns?
Yes
No (industry resistance is declining)
Not sure, still evaluating
Do you generate SBOMs for each build and compare for differences to identify possible tampering?
Yes (Recommended for Malware detection)
No
Possibly in the future
Which tool do you use to consume the SBOMs from your suppliers?
Cybeats
Rezilion
Anchore
How do you securely deliver your SBOMs?
Signed SBOMs (recommended)
Use a decentralized service like SCITT or OSF?
Email
Not sure
Customer Transparency
Do you include exploitable vulnerability information with your SBOM?
Include VEX file (in early stage of adoption)
No
Sometimes
Σχόλια