Mandating Software Bill of Materials Will Enable Better Supply Chain Risk Management

Over the past year, governments on both sides of the Atlantic have been pushing for greater awareness regarding the importance of Software Bills of Materials (SBOMs). In the United States, the SBOM effort is spearheaded by the Cybersecurity & Infrastructure Security Agency and the White House, and in Europe, the effort is spearheaded by the EU Cyber Resilience Act. The goal is to make product developers and device manufacturers accountable for the components that make up their products. More than that, SBOM will allow for better product security, thus the growing interest by governments in mandating its use through policy and regulation.

An SBOM will have to list known vulnerabilities associated with each component (open source and third party), pushing security rights to the forefront of product development. This visibility will allow for product development teams, DevOps, and implementers to address vulnerabilities and thereby strengthen security. Furthermore, the SBOM can serve to help with patching and remediation once in use. Ultimately, the goals are to address the issue of supply chain attacks in the IT industry, which has become a significant threat for modern enterprises (e.g., Kaseya, SolarWinds), and to create a more resilient supply chain that can react faster to incidents.

Currently, SBOM generation is not standardized, and there are plenty of inconsistencies and variations that risk making the effort more cumbersome than useful from a security perspective. The industry is still focused on developing SBOM-generating tools, but less focus has been placed on making them homogenous. In addition, dynamic SBOMs (e.g., those that may be generated for cloud assets) will have to change frequently to reflect the current composition of that asset; this also risks bogging down the SBOM with too much information.

Finally, in order for SBOMs to be trustworthy, they will need to go through auditing. This ties back to the need for standardization, so that the SBOM can be assessed in terms of being fit-for-purpose and complying with particular standards. Therefore, the need exists to develop a common framework around SBOM generation and assessment. Policy mandates, in this regard, will be a significant driver for these developments.

While there is little doubt that SBOMs can strengthen cybersecurity, it is also important to understand that they can provide much more than that—better product quality and higher efficiency around updating and patch management. There is some pushback today that argues against undue government interference, asserting it will simply add to production costs and create new liabilities for developers and manufacturers. But, ultimately, the industry will have to face growing demands for transparency, and not just from governments. Consumers are increasingly aware of the issues surrounding product insecurity, and demand more information and visibility into the components that make up their everyday purchases. In a way, other legislation around Internet of Things (IoT) product security, such as labeling or data protection, will push demand for SBOMs, and naysayers will be increasingly hard-pressed to ignore SBOMs. The future is for security through accountability, and this cannot be accomplished without transparency. SBOMs, and similar technologies, are here to stay and the doubters need to get on board or risk their markets.