Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

When It Comes to SBOMs, Do You Know the Ingredients in Your Ingredients?

If you’re building software applications, you’re familiar — or should be familiar — with SBOMs, or software bills of materials. Think of an SBOMs as a list of ingredients in your application. The urgency for organizations to create and maintain accurate SBOMs has increased in the wake of recent software supply chain vulnerabilities such as Log4Shell and Spring4Shell. What’s more, if you do business with the US government, an accurate and up-to-date SBOM is now a requirement, based on the May 2021 Executive Order issued by the White House in response to the far-reaching repercussions of the SolarWinds attack.

According to Gartner, “by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, up from less than 20% in 2022.” Gartner also acknowledges that “keeping software bills of materials (SBOMs) data in sync with corresponding software artifacts presents a key challenge.”1

Are organizations keeping pace with such market dynamics? A recent Tidelift survey shows that only 37% of organizations are aware of new government software supply chain requirements around security and SBOMs. Of these organizations, only 20% are using SBOMs for most or all applications today.

However, change is coming quickly: The vast majority of organizations — 78% — are either already using SBOMs in at least some applications or have plans to do so in the next year, according to the survey.

Open Source Complicates SBOM Matters

Developing SBOMs can be challenging, but if you are using open source components in your applications — as most modern software development teams do — then the process for building an SBOM and keeping it up to date becomes even more complex because of the impact of transitive dependencies.

Open source components that other open source components rely on, transitive dependencies can be difficult to track down. For example, many organizations affected by Log4Shell weren’t immediately aware of their exposure because it came through transitive dependencies. It is therefore critical that your SBOM identifies not only direct open source dependencies but also transitive dependencies.

In addition, because developers are constantly committing code to deliver enhanced functionality to applications, it is critical that SBOMs are dynamic, capturing changes to the open source components up and down the open source software supply chain.

Conclusion: Get a Handle on SBOMs

To ensure the integrity of software supply chains, the use of SBOMs will become more common — and will often be required. To ensure that your organization is delivering accurate and up-to-date SBOMs for the applications it develops and delivers, it’s important to get a handle not just on your list of ingredients, but also the ingredients your ingredients are using.

1 Gartner, “Innovation Insight for SBOMs,” Manjunath Bhat, Dale Gardner, Mark Horvath, 14 February 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…