What is a Software Bill of Materials?
A Software Bill of Materials (SBOM) is a detailed list of all the components, modules, and libraries that make up a piece of software. An SBOM provides transparency into the provenance and pedigree of software.
Just like an ingredients list for a prepared food item, an SBOM lists all the ingredient components that are assembled together to make the software. It enumerates the exact versions and details of each component.
An example SBOM may look like:
Application 1.0
- Library X 2.4.1
- Framework Y 1.3
- Module Z 0.2
The goal of an SBOM is to provide a standardized and universal method to capture and share the details of software components.
Why are SBOMs important?
SBOMs enable transparency and accountability in software. They are critical for improving software security, integrity, and supply chain visibility.
Some key benefits of SBOMs include:
-
Vulnerability management – An SBOM makes it easy to identify all software components and scan them for vulnerabilities. When a new CVE is disclosed, an SBOM can help pinpoint its presence in software.
-
License compliance – An SBOM lists all open source components and their licenses. This helps ensure license compliance during software development and distribution.
-
Supply chain integrity – By listing all third-party components, an SBOM enables assessment of the trustworthiness and security of the software supply chain.
-
Patch management – An SBOM aids in patching efforts by identifying all components needing updates when new fixes for vulnerabilities are released.
-
Composition analysis – An SBOM provides insight into software architecture, dependencies, and interactions between components.
Overall, SBOMs promote software assurance, integrity, and provenance. Just as food suppliers must share ingredients and nutrition labels, SBOMs enable software suppliers to share component details with users.
SBOM Standards and Initiatives
Several standards and initiatives around SBOMs have emerged:
-
The CycloneDX and SPDX standards provide specifications and schemas for creating SBOMs. They help define the data elements an SBOM should contain.
-
NTIA’s minimum SBOM elements guidance outlines core fields like component name, version, and dependencies that an SBOM should cover.
-
The US Executive Order and related NIST regulations will soon require vendors to provide SBOMs for software sold to federal agencies. This demonstrates the importance of SBOMs for software assurance.
-
Open source tools like syft and source-scan assist in generating SBOMs from application source code and binaries.
Overall, SBOM adoption is accelerating across industry and government due to these standards and policies.
SBOM Challenges
Some key challenges remain around SBOM generation and consumption:
-
Scanning binaries and embedded software to create complete SBOMs can be difficult.
-
Determining the ideal depth and scope of an SBOM – too high-level loses detail, too granular becomes unusable.
-
Normalizing SBOMs from disparate sources into a standard format for consumption.
-
Handling the scale of data as SBOMs grow very large for complex software.
-
Conveying SBOM data in a machine-readable format while keeping it human-readable.
-
Getting widespread adoption across the software ecosystem.
However, these are surmountable challenges. Momentum is growing for SBOMs and over time tooling and standards will advance to address these gaps.
The Future with SBOMs
Widespread SBOM adoption will enable exciting new opportunities:
-
Automated vulnerability analysis by scanning SBOM data at scale.
-
Software supply chain ratings based on component pedigree and security.
-
SBOM as code where SBOMs become part of CI/CD pipelines.
-
Universal Bill of Materials (UBOM) covering hardware, firmware, and software.
-
SBOM as the “ingredient list” for software – empowering consumers and driving transparency.
Overall, the future with SBOMs is one where software transparency, security, and integrity are the norm rather than the exception. As an industry, we must continue working to make SBOMs ubiquitous.
