Like the ingredients used in a recipe, a software bill of materials (SBOM) catalogues the various components that make up an application. It’s becoming increasingly common and is even mandated by the Biden Administration’s 2021 cybersecurity executive order for organizations that do federal business.
SBOMs play a critical role in managing dependencies, addressing security vulnerabilities, and fulfilling license compliance. This article explores what an SBOM is and the best practices for creating and maintaining one.
Definition
Today’s software applications are built from a complex mix of proprietary and open source components. When a vulnerability is discovered in a component, it can impact all applications using that component. This makes it vital for engineering leaders and CTOs to have visibility into their application’s components and libraries, as well as ensuring legal compliance and security.
SBOMs are a crucial tool to help with these goals, as they provide an inventory of the software components used in a product, including their licenses and versions. They also reveal any dependencies between components, which is important in assessing security vulnerabilities and licensing issues. For example, a vulnerable dependency can expose a whole software system to attack. SBOMs allow engineers to quickly assess and respond to these risks, preventing costly cyberattacks.
In addition to helping with visibility and licensing issues, SBOMs can also help identify a software project’s reliance on unsupported or unpatched components. This helps organizations ensure that their applications are safe from attackers who take advantage of vulnerabilities in third-party and open source software.
Managing these dependencies is challenging, however, as many organizations don’t have the proper tools to create and maintain SBOMs. FOSSA’s SBOM tools, such as CycloneDX and SPDX, are designed to be lightweight and easy to use for managing open source dependencies in a cybersecurity context.
Purpose
Like a Bill of Materials in manufacturing, the software bill of materials (SBOM) provides a complete inventory of all components that make up a given software application. This inventory helps organizations to identify license compliance and security risks within their software products. In addition, an SBOM can help to inform other security and supply chain practices.
While the concept of an SBOM is relatively new, it has quickly become an essential tool for software development teams. It is especially important in an era when many applications are built with a mix of custom-built code, commercial off-the-shelf software, and open source libraries. It’s difficult to keep track of the foundational code components in such a mixed environment without an effective SBOM.
The minimum requirements for an SBOM include the following elements:
Using a centralized, comprehensive software asset management system that supports a variety of data fields, including an SBOM, allows organizations to quickly and easily identify potential risks in their software product. For example, Balbix combines CVE and information from an SBOM to automatically identify and prioritize software component vulnerabilities for mitigation.
Additionally, an SBOM enables organizations to track the version of each component, which can be critical for ensuring that each component is not vulnerable to known exploits and is in line with the appropriate licensing terms. It also makes it easy to identify dependencies in a project and standardize the way that dependency information is recorded across different ecosystems.
Formats
Just as manufacturers use a Bill of Materials to record the components that go into their products, SBOMs help software developers keep track of the various third-party libraries and modules that make up an application. These components can be open source or commercial, and they can be publicly available or access-restricted. It’s important for these details to be documented, because it helps organizations identify any risky packages that could be exploited in cyber attacks.
A key goal of SBOMs is to provide visibility into the software dependencies that form an application, including API calls and versions. These elements can contain vulnerabilities that cybercriminals could exploit during a supply chain attack. The Biden Administration’s executive order on software vulnerability management recommends that organizations adopt a comprehensive, centralized way of tracking these dependencies. By incorporating an SBOM into the SDLC, they can reduce risks by giving developers rapid, easy access to these data points.
Ideally, an SBOM should be in a format that’s machine-readable and compatible with other tools and platforms. Popular formats like CycloneDX and SPDX can ensure compatibility, and they also allow for inclusion of additional data such as vulnerability information. SBOMs should also be updated frequently to account for changes in the content or version of a component. This can be achieved using a tag-based approach like SWID, which provides an identifier for each software component, a list of files, and cryptographic hashes to create a dependency tree.
Requirements
A software bill of materials (SBOM) is an inventory of all the constituent components and software dependencies that make up an application. They have become an important part of modern SDLC and DevSecOps processes. Using an SBOM, organizations can ensure that they have the right mix of third-party open source and proprietary software in their applications to reduce vulnerabilities and other risks.
A well-formatted SBOM should contain several key data points including the name of the component, its version number, and its other unique identifiers. It should also list the relationship between the component and its dependencies. This data is essential to identifying and tracking software components throughout the software supply chain, especially in the case of open source.
Finally, an SBOM should also contain a summary of the license requirements for each component. This is particularly important for open source software, which often comes with a variety of different licensing conditions. Without a clear picture of how the software is licensed, organizations may be at risk of violating their licenses and facing penalties.
Using a powerful software composition analysis tool like Balbix, it is possible to generate a complete SBOM for any given asset in a few minutes and then export the SBOM into popular configuration management database tools (CMDB) such as ServiceNow using industry standard formats such as Cyclone DX and SPDX. This allows for continuous assessment, prioritization and dispatch of vulnerable assets to be fixed.