What is an SBOM and Why is it Valuable? 

Do you know what’s in the codebase of the apps your business uses and develops? The extent to which all the components of apps are visible and recorded is a critical indicator of software supply chain security. Whether your company deploys commercial apps or creates them (perhaps both), here’s how a software bill of materials (SBOM) helps you reduce risks from incidents similar to SolarWinds and Log4Shell.

Why is Software Supply Chain Security an Issue Now?

Software supply chain security is a hot topic in the world of infosec. Modern software development practices like Agile and DevOps focus on agility and frequent releases. These practices mean that most apps are no longer monolithic codebases composed of mostly proprietary code.

Today, companies tend to create or use apps that function more like a collection of smaller services that communicate with each other. These services get deployed in virtualized containers that often run on cloud infrastructure.

Furthermore, the code in contemporary apps is often a medley of libraries and frameworks from open source projects and proprietary code written by in-house developers. One estimate puts the number at 70-90% of the average modern app’s codebase being composed of free and open source code that provides ready-made functionality to apps.

While the faster time to market from modern development practices comes with many benefits, the downside is increased levels of security risk in the software supply chain. Even if your business never writes a single line of code, you need full visibility into the software supply chain of the apps you deploy.

Threat actors today increasingly look to exploit weaknesses in the software supply chain. Part of the attraction from a malicious standpoint is the ability to target large numbers of victims at once. Exemplifying this was the 2021 zero-day vulnerability found in the popular Java logging framework Log4j. One vulnerability instantly put thousands of organizations at risk, whether they were using Log4j in their IT ecosystems directly or whether the apps they procured used Log4j.

What is a Software Bill of Materials?

A software bill of materials attempts to bring visibility into software supply chains by listing all the components present in a codebase. In particular, an SBOM contains the following useful information:

• All of the third-party and open-source components that exist in an application’s codebase
• Licensing information for all components so that you don’t encounter litigation or intellectual property issues from conflicts between what the license allows and how you use the component
• Version information for each component so that you can quickly identify if an app uses outdated or vulnerable components that could be increasing cybersecurity risk.

The concept of an SBOM draws inspiration from the bill of materials commonly found in manufacturing processes. In fact, the car you drive comes with a bill of materials that details every component of that car. The visibility provided by this structured, formal inventory makes it easier to track issues and recall defective parts.

An SBOM is hierarchical so that it tracks the relationships between each component. An SBOM should also be machine-readable, which means that you generate it in a specific format. Currently, the two main SBOM formats are CycloneDX and Software Package Data Exchange (SPDX)—the latter is the more complex and granular of the two formats in terms of how it describes relationships between software components.

SBOM Executive Order

It’s worth briefly pointing out that a 2021 Executive Order on Improving the Nation’s Cybersecurity contains a lengthy section on enhancing software supply chain security at the Federal government level. A notable quote from this section was the necessity to provide government purchasers of software with “a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.”

If your company develops commercial software solutions but you don’t do any business with the U.S. government, it’s tempting to neglect any need for an SBOM. But in setting this example, companies in the private sector will also increasingly look for an SBOM when procuring software solutions. If you avoid going to the effort of generating this inventory of components in your apps, you risk losing out to competitors.

Cybersecurity Benefits of SBOMs

The general cybersecurity benefits of SBOMs for those who create, purchase and operate software include:

• Removing any mystery from what’s contained in the software you run or create. Without a full inventory of components, software remains somewhat of a black box; this causes particular concern in areas like vehicles, aircraft and critical infrastructure, in which the full gamut of potential software threats must be understood and tested against.
• Adversaries regularly exploit vulnerable software components to achieve their malicious aims. Part of the reason that vulnerabilities remain such a big part of the cybersecurity puzzle is that mitigation is slowed down by organizations not even being aware of a vulnerable component in their IT ecosystems. A significant benefit here is how having an SBOM speeds up protective measures for vulnerable apps that you’ve deployed.
• While protective measures may simply fend off the attacks that target vulnerable components, SBOMs also speed up the time to upgrade and patch out-of-date or vulnerable software.
• SBOMs facilitate more thorough and easier due diligence when procuring software solutions to use for customer-facing or internal purposes. With a record of all the components used in a potential solution, you can gauge how secure the vendor’s development practices are and quickly weed out solutions that use vulnerable components.

Reducing Cyber Risks

Requiring and/or generating an SBOM for all software will play an increasingly important role in reducing cyber risk at your business in the coming years. Microsoft CEO Satya Nadella’s quote about every business being a software business is true in a world where apps drive both operations and innovation.

At Nuspire, we stand ready to complement your risk reduction ambitions with cybersecurity consulting services. Available expert guidance includes incident readiness, threat modeling, vCISO, security posture assessments and customized approaches to address threats in your specific industry.

Chat with an expert to learn more.