Photo by Glenn Carstens-Peters on unsplash.com

Anyone working in technology knows that every handful of years we have a new set of buzzwords that, whether we like it or not, drive strategy, marketing and development. The last five years, we’ve seen the acronym “SBOM” get a great deal more focus. 

SBOM stands for “Software Bill of Materials,” and is a concept that often gets compared to the “nutrition facts” label we see on packaged goods in the grocery store. For software, it’s an accounting of all the components that went into making an application, and what other types of applications and software it can connect with. 

This is a high-level explanation, and the concept of the Software Bill of Materials is both more complex and rapidly evolving to be a lynchpin of cybersecurity for many companies, especially those in highly regulated industries.

Here are a few of the most common questions that we get about this concept:

What is SBOM?
For teams that develop software, it’s easy to introduce code components that have known vulnerabilities or other significant flaws because code is used and re-used so often, and brought in from open-source databases. A software bill of materials shows these teams where these vulnerabilities exist during the development process, making them easier to track and fix than if these findings are left to when the project is finished. SBOMs take many forms and there are several companies that produce software that can help visualize and monitor software components. 

Why is it important?
Regulators are increasingly interested in companies adopting SBOM because it has the potential to significantly strengthen the supply chain over all. Flaws in proprietary and open-source software, when used over and over again, can re-introduce significant design flaws many times, and these flaws are passed on to any clients that use the software. These code weaknesses have led to numerous high-profile breaches, including the Equifax breach and the Colonial Pipeline incident. Expect regulators to increase their focus on SBOM as supply chain security continues to grow in importance.

Can an SBOM help the attacker?
Some believe that SBOMs can serve as a roadmap to the cyberattacker but for the most part, these concerns are not warranted. Attackers can leverage information contained in SBOMs. However, the defensive benefits of transparency far outweigh this common concern as SBOMs actually serve as a “roadmap for the defender.”

All information is dual-edged, but insufficient software transparency affords attackers asymmetrical advantages. Attackers don’t need SBOMs. Mass, indiscriminate attacks like “WannaCry” serve to remind us that foreknowledge is not a prerequisite to cause harm. Attackers and their tools can more easily identify software components. Conversely, it is often quite challenging, disruptive, inefficient, and even unlawful for defenders to determine the same. Attackers of any single product can already find human-readable target components – licensing requirements have been increasingly requiring disclosure for decades.

SBOMs seek to level the playing field for defenders by providing additional transparency – at enterprise scale – with standard, machine-readable decision support.

How can I get started?
There are many vendors offering SBOM management products, but the U.S. government has also been conducting research and offering suggestions on how to best pursue a bill of materials. The National Telecom Industry Association has also created collaborative work through a multistakeholder process. The Cybersecurity and Infrastructure Security Agency within DHS held an “SBOM-a-rama” this past December, and hosts a number of resources on its homepage at cisa.gov/sbom.

---

Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.

John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.