The Need for the Software Bill of Materials

Every day new vulnerabilities are being discovered, some of them showing up on social media, which causes open source program offices and security teams to start querying their inventories to see how the Free and Open Source components they use may impact their organisations. Frequently, this information is not available in a consistent format within an organisation for automatic querying, and may result in a significant amount of email and manual effort.

Ofcourse there are other ways to manage this, and ofcourse is this not limited to Free and Open Source formats. Other ways to Non-open-source components can equally be vulnerable to exploitations, covert or publicly known.

By exchanging software metadata in a standardized software bill of materials (SBOM) format between organizations, automation within an organization becomes simpler, accelerating the discovery process and uncovering risk so that mitigations can be considered quickly. The definition of what a minimum SBOM consists of has been agreed upon as part of a multi-stakeholder group hosted by the National Telecommunications Information Administration (NTIA). The NTIA continues to gather information on what should be included in an SBOM as part of the recent cybersecurity executive order released on May 12, 2021.

In the last year, we’ve also seen standards like OpenChain (ISO/IEC 5320:2020) gain adoption in the supply chain. Customers have started asking for a bill of materials from their suppliers as part of negotiation and contract discussions to conform to the standard. OpenChain has a focus on ensuring that there is sufficient information for license compliance, and as a result, expects metadata for the distributed components as well. A software bill of materials can be used to support the systematic review and approval of each component’s license terms to clarify the obligations and restrictions as it applies to the distribution of the supplied software, thus reducing risk.

Having an accurate view of the software being imported and used in systems has become increasingly important as we see more vulnerabilities emerge in the supply chain. By generating a Software Bill of Materials (or SBOM), we’re able to help with efficient analysis for security, licensing, and other use cases.

This is an introductory course designed for directors, product managers, open source program office staff, security professionals, and developers.

This course will give you foundational knowledge about the options and the tools available for generating SBOMs, and will help you understand the benefits of adopting SBOMs and how to use them to improve your ability to respond to cybersecurity needs.