Software bills of materials (SBOMs) are having their day — they're even government-mandated at times. In September 2023, the U.S. Food and Drug Administration issued its final version of “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The guidance corresponds to the 2023 Consolidated Appropriations Act, H.R. 2617 (PDF), which calls on the FDA to acquire attestations, including an SBOM, from medical device manufacturers regarding their products’ cybersecurity.
While SBOMs are currently mandated by the government only in the medical area, broader industry consensus is growing in favor of SBOMs. In October 2023, analyst firm Gartner released a report, “Mitigate Enterprise Software Supply Chain Risks,” which stated that “the inability or unwillingness of a vendor to provide an SBOM should be viewed as a significant risk and potentially disqualifying.”
Still, security leaders and risk managers are just getting used to the idea of creating SBOMs. To help put them into context, Beau Woods, founder and CEO of Stratigos Security, joined a ConversingLabs conversation with Paul Roberts to explore the history of the SBOM, from its humble beginnings to its modern-day use. Most important for helping you weigh whether SBOMs are right for your organization, Woods discusses efforts to adapt them for the future. Here are key highlights from the ConversingLabs episode.
The SBOM: Trending, but not new
Woods first came across the concept of the SBOM in 2013 when he began working with I Am the Cavalry, a grass-roots organization focused on driving cybersecurity for improved public safety and human life. But, as Woods noted to Roberts, the SBOM didn’t start there:
“[SBOMs] had already been well established in places like the aerospace industry, where they have very low tolerance for any problems and a very high expectation of sound engineering practices.”
More than a decade ago, large financial institutions began to speak publicly about their use of SBOMs to ensure that the components used in the third-party products they were relying on to conduct business were transparent, Woods noted.
While SBOM adoption was slowly taking shape in those critical sectors in the 2010s, the rhetoric on Capitol Hill was divisive. Woods said that pushback for SBOM adoption was rooted in the notion that “you couldn’t possibly track all of the software that was used in producing a product.” Nonetheless, with time, SBOM adoption slowly increased – not as a result of government policy but because of market forces, he said:
“Just by the fact of asking for an SBOM, you can cause that market to change.”
Why software transparency is a must
SBOM adoption is far higher now than in 2013, but Woods said there are still laggards who have yet to jump in. He said he likes to remind leaders of what a BOM offers in the context of manufacturing: improved quality, reduced cost, fewer safety issues, and less liability post-procurement. And, he said, BOMs' value in their most basic form can be transferable to the digital landscape.
With a few “engineering tweaks,” the standard BOM can be made applicable to software, Woods said, and those who have been slow to adopt SBOMs will see that a software package isn’t very different from a vehicle that needs to pass its safety tests. And organizations will have to adapt sooner rather than later if they want to survive in a demanding market, in the face of cyberthreats, he said.
The value of an SBOM is essential for cybersecurity, Wood said:
“If you want to optimize your security and [minimize] risk, you kind of need that transparency; you need some kind of SBOM.”
The future of the SBOM
While the SBOM brings a great amount of value to the market, it alone can't manage software risk. However, Woods is hopeful that as adoption increases and more use cases come to light, the value that SBOMs bring will only increase. The SBOM is continuing to evolve to bring this value to organizations. For example, OWASP recently introduced CycloneDX 1.6 with the hope of future-proofing SBOMs.
To help organizations better understand SBOMs and their place in software supply chain security, several leading experts joined in a recent webinar, "SBOMs Are Having a Moment. How to Make Them Actionable," providing an overview of why SBOMs are in the spotlight and how organizations can best operationalize them for greater software supply chain security.
To learn more about the history of the SBOM, where it stands today — and what Woods believes is the future for the SBOM, watch the full ConversingLabs episode “The Past, Present & Future of SBOMs,” or listen to it wherever you get your podcasts.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.