SBOMS are here, are you ready?
What is SBOM?
A software bill of materials (SBOM) is a structured list of underlying components that are included in a piece of software. The SBOM captures the hierarchical relationships between the components. Because each of these components has potential security implications independent of the software in which it is included, awareness of these sometimes-hidden components is critical to understanding the current and future cybersecurity vulnerabilities of any software.
SBOM consists minimally of at least the following items:
Software name, version and other identifiers.
Supplier name.
Dependency relationship, i.e. all the included software components.
Author and timestamp of SBOM data.
Usually the licenses of included software components are also included.
Why is it important?
SBOM is important as it creates accountability and transparency for the software: it's important to know, what dependencies and components the software includes. Motivation for this is to be be able to track efficiently, if the software is affected by any known vulnerabilities. Trying to figure out if a vulnerability affects a certain software version is almost impossible, if one wouldn't know the exact components of the software.
SBOM is also required for any software supplied to the US Federal Government by the "executive order on improving the nation's cybersecurity (14028)".
How to create one?
Basically, an SBOM can be created by tracking every component your software uses. Luckily, there are a lot of tools to help make parts of this automatic. Best option is to create the SBOM during the build time of the software. When this is not possible, one can scan the software during runtime or by doing static analysis of it. The latter means are not as certain to find out everything compared to generating SBOM on build time, though multiple tools exist to scan deliverable container images and filesystems. E.g. Syft and Tern.
Why work with Omoroi on SBOM’s?
Both the US and the EU are setting up new legislation regarding cyber security of ICT solutions and products. It is essential for companies to take this into account when designing new products that contain digital parts.
Omoroi’s team consists of experienced software consultants that have worked with product development units for years. We know all levels of the software development process and the pain relating to dependencies and versioning. Automation, integration with CI pipelines and controlled changes in software development are essential for leveraging the full potential of your SBOM process. At Omoroi, we have extensive expertise of implementing these in various organizations.
Contact us to talk more about SBOMs!