Most software depends on third-party components (libraries, executables, or source code), but there is very little visibility into this software supply chain. It is common for software to contain numerous third-party components that have not been sufficiently identified or recorded. Software vulnerabilities are both the byproduct of the human process of developing software and the increasingly frequent target of attacks into the software supply chain. If users don’t know what components are in their software, then they don’t know when they need to patch. They have no way to know if their software is potentially vulnerable to an exploit due to an included component – or even know if their software contains a component that comes directly from a malicious actor.
This lack of systemic transparency into the composition of software across the entire digital economy contributes substantially to cybersecurity risks as well as the costs of development, procurement, and maintenance. The solution we have been exploring is known as a software bill of materials (SBOM) – a “list of ingredients” in software. An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. Greater transparency allows earlier identification (and mitigation) of potentially vulnerable systems, supports informed purchasing decisions, and incentivizes secure software development practices. Knowing the “ingredients” of software installed on any system or device can save hundreds of hours in the risk analysis, vulnerability management, and remediation processes.
This presentation will share the vision of SBOM from an international open process that brought together open source, commercial software developers, the embedded systems and ICS community, and enterprise customers, demonstrating the value of supply chain transparency at each step of the supply chain. It will cover the basics of SBOM, how you can begin implementing it today, and what we might expect in the coming years for software supply chain and software assurance.