The evolving landscape of cybersecurity, the implementation of Software Bills of Materials (SBOMs) is gaining importance as a strategy to enhance protection against supply chain cyberattacks. President Biden’s cybersecurity executive order, issued in May, has highlighted the need for improvements in software supply chain security, including mandating SBOMs for software vendors working with the federal government. SBOMs serve as a detailed list of the components that make up a software product, encompassing both open source and proprietary code.
The role of SBOMs is to provide clarity and transparency, enabling quicker identification and mitigation of vulnerabilities or updates within software. This proactive measure is particularly relevant in light of increasing complexity and sophistication in cyberattacks targeting supply chains. However, experts recognize that while SBOMs are beneficial, they are not a comprehensive solution, especially for legacy systems where implementing SBOMs may not be feasible.
Johannes Ullrich, dean of research at the SANS Institute, notes the limitations of SBOMs in addressing software development within legacy systems, suggesting that older code may never have a reasonable SBOM. Nonetheless, advancements in tools and standards, including initiatives by the National Institute of Standards and Technology (NIST) and industry efforts like CycloneDX, are paving the way for more widespread use of SBOMs in modern software development.
The executive order has tasked NIST with defining “critical software,” which will shape future regulations and standards. This definition will consider various factors, including the software’s access level, integration, and potential harm if compromised.
While SBOMs offer a way to enhance cybersecurity, their implementation presents challenges, such as increased costs and the need for scaling resources. Despite these hurdles, the expectation is that SBOMs will gradually become a norm in software development contracts, driven by customer demand and the evolving cybersecurity landscape.
The concept of SBOMs is not new, having been practiced internally by companies for years. However, its recent prominence and formalization in the cybersecurity field mark an important step towards higher accountability and transparency in software development. This shift mirrors the progression seen in other industries where product liability has become a standard consideration.
While SBOMs are a valuable tool in improving supply chain cybersecurity, they are part of a broader spectrum of cyber hygiene practices. The challenges of legacy code and the need for widespread adoption underscore that SBOMs are one piece of a larger puzzle in achieving a robust cybersecurity posture.
