What Is the Purpose of a Software Bill Of Materials?
“The goal is to provide transparency into the composition and provenance of software,” says Moyle. “For the customer, you can trace the provenance and composition of what you own, and the developer can keep track of what’s in their dependencies so they can offer more transparency to their customers.”
It’s also important for managing potential risk. SBOMs are often compared with nutritional information labels that list all the ingredients contained in a food item. The reason for that? “Consider the experience of someone allergic to a commonly occurring ingredient like soy. Obviously, they’d avoid products that make first-order use of soy — products that are obviously made out of it, like tofu,” says Moyle. “But what about second- and third-order usage? For example, a cake with chocolate icing where the chocolate in the icing uses soy lecithin as an emulsifier. They’d still need to know about that, right? Even a small dose of the allergen can be problematic depending on the severity of the allergy.”
How does that tie to SBOMs? “In some situations, dependencies in software can introduce risk in a similar way; for example, when there are severe vulnerabilities in commonly occurring and widely deployed software components,” says Moyle.
MORE FROM BIZTECH: Learn key lessons about protecting your organization from cyberattack.
How do SBOMs Help Protect the Software Supply Chain?
“SBOMs help make it possible to protect your supply chain because they identify what is included in your supply chain,” says IDC’s Al Gillen. It’s like surveying your home for vulnerable access points to know where to install alarm sensors. By providing insights into software components, organizations may not merely identify potential risks but, ideally, identify them early enough that they don’t make it to a final product.
That protection will be imperative as supply chains become increasingly vulnerable. “In 2021, the European Union Agency for Security estimated that the number of attacks on the supply chain would increase fourfold from the previous year,” Worthington says. When all it takes is a single vulnerability to disrupt a supply chain, knowing what that vulnerability might be — and how to eliminate it — is critical.
Experts caution, however, that SBOMs aren’t foolproof. “Collecting, managing, inventorying, and making use of the data from them is a large, complicated exercise,” says Moyle. “Yes, it makes the problem of software vulnerabilities potentially more manageable, but it’s not magic and won’t fix all problems.” Worthington agrees: “An SBOM is only a piece of the puzzle. Securing your software supply chain requires people, process and technology.”