The Software Bill of Materials (SBOM): Coming of Age in Software Supply Chain Security

It's never been more important to see into -- and secure -- your software components, especially those that come from open source software (OSS). OSS libraries, intrinsically complex, also often come with vulnerabilities. Those continue to pose significant risks.

But the landscape is shifting. A few short years ago, we spent most of our time explaining the "what" of the Software Bill of Materials (SBOM) and the "why" of why it was a necessary tool. Today, the SBOM has now come of age, becoming indispensable in enhancing transparency and managing risks in software supply chains. 

Why SBOM? Why Now?

What's driving the evolution of SBOM tools? Several things. There's an acute need for transparency into today's software supply chains. Also, risk management methodologies are increasingly reaching for proactive approaches such as those enabled by SBOM intelligence.

There's also a regulatory element. Through catalysts such as President Biden's Executive Order 14028 in 2021 to more recent guidance like the EU CRA, ISO 21434, AUTOSAR, and the FDA's Final Guidance, there's a growing demand from customers for more insight into the software supply chain.

These forces have propelled the SBOM from the emerging idea it was as recently as a couple of years ago to a critical component of application security today. Market forces are also highlighting the SBOM's role in safeguarding today's applications against the vulnerabilities that exist in many OSS libraries.

A Deeper Look at the SBOM's Catalysts

What are the other factors driving the journey to SBOM's maturity? 

• 
  Regulation: Recognizing how critical software transparency is for national security and consumer protection, entities like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the European Commission have issued directives to integrate SBOM use into the software development process. Similarly, regulatory drivers like the FDA's Final Guidance and ISO 21434 have also emerged, to govern SBOM use in specific verticals such as medical devices and connected automobiles, respectively.   
  
• 
  Supply Chain Complexity: Increasingly intricate software supply chains make SBOMs even more essential as organizations look to map software components' origins and dependencies to better ensure their integrity and security.
  
• 
  The Open Source Software Boom: OSS has been widely adopted and this underscores the need for greater and continuous visibility into software components. SBOMs are uniquely positioned to fulfill this need.
  
• 
  Market Demands: Both vendors and customers insist on SBOMs when they want to verify the security and compliance of their software purchases. SBOMs fulfill a need in a market that increasingly values transparency and security.
  

Regulation: Recognizing how critical software transparency is for national security and consumer protection, entities like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the European Commission have issued directives to integrate SBOM use into the software development process. Similarly, regulatory drivers like the FDA's Final Guidance and ISO 21434 have also emerged, to govern SBOM use in specific verticals such as medical devices and connected automobiles, respectively.   

Supply Chain Complexity: Increasingly intricate software supply chains make SBOMs even more essential as organizations look to map software components' origins and dependencies to better ensure their integrity and security.

The Open Source Software Boom: OSS has been widely adopted and this underscores the need for greater and continuous visibility into software components. SBOMs are uniquely positioned to fulfill this need.

Market Demands: Both vendors and customers insist on SBOMs when they want to verify the security and compliance of their software purchases. SBOMs fulfill a need in a market that increasingly values transparency and security.

SBOM Regulatory Drivers

The SBOM's coming of age aligns closely with the development and implementation of increasingly stringent regulations across various sectors. And this reflects a global move towards enhanced software transparency and security.

Consider the AUTOSAR (Automotive Open System Architecture) standard. AUTOSAR emphasizes the need for robust automotive software architectures, including the traceability of software components, directly echoing the principles of SBOM.

In Europe, the EU Cyber Resilience Act (CRA) mandates rigorous risk management practices for connected devices sold within the European Union. Requiring products to be shipped with no known vulnerabilities and vulnerabilities to be reported within 24 hours are both requirements that SBOMs, enriched with up-to-date vulnerability information, can help fulfill.

Meanwhile, in the United States, the Food and Drug Administration (FDA) has issued its Final Cybersecurity Guidance for medical devices, highlighting the necessity of a transparent software inventory to mitigate cybersecurity risks effectively.

Similarly, the adoption of ISO 21434, a standard dedicated to automotive cybersecurity, underscores the automotive industry's commitment to safeguarding vehicles against cyber threats through rigorous risk management practices, including the comprehensive documentation of software components similar to the principles embodied by the Software Bill of Materials (SBOM).

Together, these evolving regulations, and a growing list of others, underscore SBOM's critical role in not only meeting compliance requirements but also in fostering a more secure and resilient digital infrastructure across industries.

Conclusion

The Software Bill of Materials (SBOM) has undoubtedly come of age, transforming from an innovative concept a few years ago to a cornerstone of software supply chain security today.

This growth in SBOM adoption and usage reflects the industry's broader movement towards greater transparency, security, and responsibility in software development.

The SBOM stands as a testament to the software industry's commitment to securing the digital world. With continued collaboration and innovation, the SBOM will remain at the forefront of enhancing the security and integrity of modern applications.