Demystifying SBOMs: A Proactive Approach to Software Security

Share on

Ravi Lingarkar Chief Product & Engineering Officer

In December 2021, an unexpected security flaw, Log4Shell, was found in Apache Log4j, a frequently used library for logging activities in software applications. This flaw made it possible for cybercriminals to take control of a computer system remotely. It reminded us of the crucial need to understand what's inside our software - knowing each component and how it interacts with others. This can be achieved through Software Bills of Materials (SBOMs), which allows organizations to identify quickly, and secure applications affected by security flaws, such as Log4Shell.

What are SBOMs?

Imagine you're building a house and have a list of every material used, from the largest steel beams down to the smallest screws. That's essentially what a Software Bill of Materials (SBOM) is for software—it's a detailed list of all components used to build a software product, including information like the component's name, who made it, what version it is, and how it interacts with other components.

By providing a standardized, easy-to-read format that can be understood by machines and humans alike, SBOMs make it possible to keep track of all these components. They act as a roadmap for software, guiding you through its structure and making it easier to manage and secure. Several standard formats exist for SBOMs, including those created by the Open Web Application Security Project CycloneDX, Software Product Data Exchange (SPDX), and Software Identification Tagging (SWID).

SBOMs and Executive Order 14028

In May 2021, the U.S. government issued a directive known as Executive Order 14028. An Executive Order is a rule or requirement by the President that guides federal agencies and officials. This particular order recognized SBOMs as an essential tool for increasing the security of software supply chains.

As a result, various agencies started working on guidelines and requirements around SBOMs. By September 14, 2022, federal agencies needed to confirm that their software was built following guidelines from the National Institute of Standards and Technology's Secure Software Development Framework (NIST SSDF), which includes using SBOMs.
While these requirements apply mainly to companies dealing directly with the U.S. federal government, they are also likely to influence others. Companies outside the government's direct purview may also adopt SBOMs, as they may have clients who deal with the government.

The Benefits

Having an SBOM for your software is like having a blueprint for a building - it lets you see what's inside and how everything fits together. This clarity brings several benefits:

1. Dependency Management: SBOMs allow for efficient tracking software dependencies across applications. This ensures that developers use code and sources that have been approved, reducing the risk of introducing security vulnerabilities.
2. Vulnerability Management: With an SBOM, it's easier to identify and prioritize potential security risks in the software's dependencies. It's a proactive way to strengthen the software's defenses.
3. Risk Management: By offering a bird's-eye view of all software components and their relationships, SBOMs help proactively identify and mitigate potential threats.
4. License Management: SBOMs clarify the licenses of all components, ensuring that none of them violate the organization's legal policies.
5. Competitive Advantage: As more organizations and government agencies require them, providing an SBOM could set a company apart from its competitors.

In Practice

To better grasp the value of SBOMs, let's consider a simple example. As a leader in the Data Discovery and Classification market, SISA provides a product many customers use in the payment industry. This product uses various components, such as a user interface library for the graphical layout, a database management system to store customer data, and a Machine Learning (ML) library consisting of open-source components for advanced features.

The SBOM for the product will list all the components along with details like their version numbers, who created them, and how they interact. Now, suppose a security vulnerability is discovered in the ML library. Because we have an SBOM, we can quickly identify that the product uses this vulnerable library. We can then swiftly take action to patch the flaw or replace the library, thereby securing our software and protecting your users.

In this age of complex software systems, maintaining an SBOM can drastically improve one’s capability to manage dependencies, address vulnerabilities, and foster trust with your users. As software becomes ever more integral to our lives, adopting such proactive security measures is not just beneficial—it's essential. By understanding and implementing SBOMs, we take a step forward in making the digital world a safer place for all.

The Wider Impact

As the global software industry expands, so does the demand for improved security measures. The U.S. government has taken a significant step in this direction with Executive Order 14028. Though this order directly influences companies dealing with the U.S. federal government, its impact is expected to be far-reaching. Given the interconnected nature of today's digital economy, the ripples created by this directive could affect software providers worldwide. In essence, even if a company doesn't directly work with the U.S. government, it may have clients who do. This scenario underscores the universal importance of SBOMs in maintaining a secure and trustworthy software supply chain.

A Step Towards a Safer Future

The digital landscape is evolving rapidly, with it, the potential risks. SBOMs offer a proactive, effective tool for managing these risks, promoting transparency, and enhancing software security. From aiding developers in managing dependencies to providing a competitive edge for software vendors, the benefits of SBOMs are manifold.

In summary, the value of SBOMs goes beyond just software companies or those involved directly in the software supply chain. As users of countless software applications daily, understanding and advocating for security measures like SBOMs is crucial for all of us. In a world where software components are transparent, vulnerabilities are quickly addressed, and software security is a given rather than an afterthought is safer for everyone. Implementing SBOMs represents a significant step towards that goal, fostering trust, confidence, and peace of mind in our increasingly digital world.