Sunburst and Supernova SolarWinds attacks, in 2019 and 2020 affected over 30 thousands of its customers, including several US government agencies. After that, US president Biden mandated, on May 12 2021, the National Institute of Standards and Technology (NIST) to prepare guidance toward enhancing the software supply chain security.

In response, the National Telecommunications and Information Administration (NTIA) has now released the minimum elements for software bill of materials (SBOM). This is now the new standard for the private sector when delivering software to the American government and it is a cornerstone toward building a more secure cyberspace.

Software bill of materials

The software bill of materials describes in a structured way the list of components included in a software. With the SBOM, all the hierarchy and relations between components are deciphered which is critical to understand the current and future software vulnerabilities of any software component.

Dependency graph as shown in application
Components dependency graph
Branches of a tree
Components ramification is similar to the branches of a tree

SBOM are useful to different actors at different stages of the application lifecycle:

  • During software development
    SBOM helps the dev team to review the license and sub components of open source software (OSS) and commercial off the shelf (COTS) libraries.

  • At each software release
    The development team generates a new aggregated SBOM that fully describes the software being released. This allows other development teams to further continue the chain or provide complete insight to the final customers.

  • During software operation
    Support team gets clear insight of all the components of the applications it is managing. It can monitor and respond quickly once a new software vulnerability is discovered. It can also act proactively, viewing software components getting obsolete, planning for maintenance or even ringing the decommissioning bell for software that puts company at risk or lack regular updates.

  • During audit, risk review, budget planning
    SBOM gives software transparency. It helps everyone view and understand the software aging process, enabling unbiased decisions based on security and obsolescence risks. It saves hundreds of hours in risk analysis, software vulnerability management, and remediation processes and highly facilitates any arbitration between projects.

The Software Transparency: A Security Imperative

Sharing the SBOM between partners should become a no-brainer in all the industries. SBOM generation is easy and automated, so you should really start to worry if one of your partner is reluctant to share its SBOM.

The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.

Joe Biden, 46th U.S. president, on May 12 2021

Are you still worried that sharing an SBOM might facilitate a hacker’s job ? Well, you should not. Hackers will test your software vulnerabilities no matter what. Security through obscurity never worked and this evidence was already showcased by Alfred Charles Hobbes in 1851 when he demonstrated lock-picking techniques. While he was initially criticized for giving hints to robbers, in fact, by his actions and contributions, he improved the security of the entire padlock industry.

Rogues are very keen in their profession, and know already much more than we can teach them.

Alfred Charles Hobbes, Locks and Safes: The Construction of Locks, London, 1853

As it became mainstream to track food origin in the food industry, tracking software origin through software bill of materials will expand from now on under the push of recent US decisions.

Dependency Track SaaS efficiently manage SBOM at all the application lifecycle stages.
We make your software supply chain transparent and improve your cyber security !

Contact us today