Benefits of Software Bill of Material

In May 2021, the US government mandated that software suppliers selling to the government include a Software Bill of Material (SBOM) in their software. This requirement was established to combat the rise in supply chain attacks, which increased by 650% between 2020 and 2021. Modern software typically includes open-source components that vendors do not disclose, leading to a lack of transparency in the software supply chain. An SBOM is a formal inventory of software components and dependencies that makes up software, including the modules, packages, libraries, and dependencies used in its development. SBOMs have emerged as a critical building block in software supply chain risk management and cybersecurity programs. They help organizations measure risk and respond quickly to attacks, enabling transparency and reducing the risks of supply chain attacks, and strengthening cybersecurity. To be accepted, an SBOM must adhere to seven requirements, including supplier name, component name, version number, other unique identifiers, dependency relationship, author of SBOM data, and timestamp. The SBOM format must be in a standardized format, such as SPDX, CycloneDX, or SWID tags. Third-party SBOM tools such as Fortify Debricked and Fortify Sonatype Nexus offer a centralized inventory and tracking of vulnerabilities in real time. They help identify new vulnerabilities before the vendor can provide a disclaimer or patch, providing organizations with a greater sense of transparency and visibility in their software components. Overall, the implementation of SBOMs is a significant step towards ensuring transparency in the software supply chain, mitigating supply chain attacks, and strengthening cybersecurity.