A Software Bill of Materials is similar to a recipe for creating the perfect dish. In this case, the SBOM recipe is used for creating secure software. Having an SBOM for software gives insight into the software components used in creating that software. SBOM contains the functions of the software components as well as their source.
Similar to how having one wrong ingredient can ruin a dish, having a vulnerable software component can make an entire system vulnerable to attack. Without SBOM, it will make identifying possible risks and mitigating attacks harder on the security team.
What are the Contents of a SBOM?
According to NTIA (National Telecommunications and Information Administration), certain elements should be present in every SBOM. Elements are used to identify components and elements that can be used to show relationships between software components. The following information includes the basic elements required to properly identify the software components.
Author’s Name: The creator of the SBOM. This usually refers to the organization that created the application the SBOM is for.
Supplier Name: The name of the supplier of software components or applications.
Component Name: Name(s) of the components, including other names, may be referred to.
Version String: The version information that identifies the software component.
Component Hash: Using a cryptographic hash to identify a component in SBOM. The component Hash is the unique means of identifying components in an SBOM.
Unique Identifier: A unique identifier that will differentiate and be used to identify components.
Relationship: This refers to the relationship between the software component and the overall application.
In addition to elements used for component identification, SBOM contains information showing the components’ relationship. An SBOM is typically expressed in a table format. In this format, there will be a section for relationships. The words used to describe components relationships are: included or included in. SBOM Authors must have substantial knowledge of their components, such as their source and relationships with other components. But it is understood that an author may not have sufficient information on supplier components. Due to the likelihood of such scenarios, categories that show the author’s knowledge of supplier components were created.
The categories used to classify an author’s knowledge of components created by a supplier are:
Unknown: This means the author does not have the information on the relationship concerning the supplier’s components. It could also mean there is no components’ relationship to record.
Root: There are no known relationships either based on the author’s knowledge or as stated by the supplier.
Partial: There is a known relationship concerning the supplier’s components. All known relationships between the supplier components are listed.
Known: All the components’ relationships are known and are listed.
Here is an example of an SBOM table with basic component identification and relationships
Figure 1: SBOM table with identification and relationship elements.
Software Bill of Materials Executive Order
In May 2021, the federal government issued Executive Order 14028, which states that US government agencies only deal with software vendors that offer SBOM, among other guidelines. The Executive Order on Improving the Nation’s Cybersecurity also instructed the National Telecommunications and Information Administration (NTIA) to specify the minimum requirements for an SBOM, which were later set out by the agency in a comprehensive report released in July 2021.
Why every corporation should have an SBOM
While having a good part of a corporation’s infrastructure online has benefits, it also has its downsides.
One of the downsides is: vulnerability to hackers. Corporations that deal with sensitive data like the Energy sector have been subject to cyber-attacks over the years.
According to the Thales Data threat report, 45% of U.S. companies experienced a cyber-attack in 2021. These attacks spread over various sectors, including energy and I.T. sectors. Considering that the U.S. depends on the oil and gas sector to produce electricity, an attack on the oil and gas sector would disable the U.S. economy. This article contains more information on the cybersecurity challenges faced by the energy sector.
Knowing how disastrous these attacks can be, the National Telecommunications and Information Administration developed SBOM. Corporations should ensure they have SBOMs for all their software, whether it is bought, open source, or developed in-house. Some benefits of having SBOM for applications you use or create are stated below.
Identifying and avoiding vulnerabilities in software components: This applies to the software your corporation developed and the software you purchased from a supplier.
SBOMs contain sufficient information on the software used by the corporation that can influence business decisions. The information in SBOMs can influence decisions on software purchase, development, and use of open source projects.
Better software security and risk mitigation: An SBOM shows the relationship between software components and their functions. Having an SBOM allows you to trace where an attack might be coming from based on the aspect of the application that was attacked.
Having a SBOM – Software Bill Of Materials understood by developers, open source projects, and suppliers promotes a mutual understanding of software assets.
Ensures consistency and accountability from suppliers: Having your software supplier give you an SBOM alongside your purchased software allows you to inspect the software components. Having an SBOM from your supplier keeps your supplier accountable for the software in case of vulnerabilities. Also, if you give preferences to suppliers with SBOMs, you will improve your overall security. As a software supplier, having SBOM for your software makes you more trustworthy.
Eliminating possible software risks and vulnerabilities: With a detailed SBOM, you can eliminate the risks due to reused or outdated software.
Every corporation that deals with sensitive information should embrace all opportunities, e.g., SBOM, to improve its security. This must be done to avoid exposure of sensitive information to people that will use that information to hurt others.
Who makes use of a SBOM?
The SBOM falls under the jurisdiction of teams responsible for their organization’s cybersecurity. This could be the compliance teams ensuring that all the software the company uses meets industry standards.
Software development teams can use SBOMs to inspect the software components used in their applications. Security teams can use SBOMs to check for vulnerabilities and prevent impending risks.
Integrating updated SBOM into software development workflows seems easy. This simple tool that other industries have already perfected frees up your resources to create powerful software and a great user experience.
ITEGRITI, the leader in context-aware analytics, can help you clarify your software supply chain to protect your customers and your business. Our Product Security Platform generates SBOMs in multiple formats and exposes hidden vulnerabilities in your products. Visit our website to see the cybersecurity solutions we provide.