by Martin Gilje Jaatun (original article by Silje Marie Sørlien, available here)
According to a 2021 Linux Foundation survey, 98% of participants belonged to organizations that, in one way or another, used open-source components in their products. While building software with open-source tools or libraries has clear advantages, it also introduces vulnerabilities that can be challenging to monitor.
Today, there are several tools and services aimed at helping monitor potential vulnerabilities related to open-source components. These tools scan source code and generate overviews of dependencies, identify vulnerabilities, and provide mitigation suggestions where possible. They can also monitor vulnerability databases and notify users if new vulnerabilities are linked to the project’s dependencies. These services are useful for development teams during both the development phase and after publication. However, this information is inaccessible to users without access to the source code, making it difficult for them to find sufficient information about software content and potential vulnerabilities. To enhance transparency of software content, the Software Bill οf Materials (SBOM) has been developed.
Software Bill of Materials (SBOM)
A widely used analogy is that an SBOM is the software equivalent of a food product’s nutrient content list. An SBOM is a standardized list of components, modules, and libraries used in a project to ensure transparency about dependencies in software where the source code is not available to users. This list can be used to check dependencies against vulnerability databases, for example, by using services like Snyk or tools such as OWASP’s dependency-check.
In 2021, President Joe Biden issued an executive order requiring all federal agencies to follow applicable software guidelines in the United States; “… Such guidance shall include standards, procedures, or criteria regarding: … (vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;”. The order specified that within 60 days, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, would publish minimum elements for an SBOM. This indicates that there will be minimum requirements for what an SBOM should contain, at least in the US. The survey revealed that participants were missing a standard, suggesting this could be the start of an industry-wide standard for SBOM. There are currently three competing SBOM formats: SPDX from the Linux Foundation, CycloneDX from OWASP, and SWID as defined in ISO/IEC 19770-2.
Future outlook
In the same survey conducted by the Linux Foundation, participants noted that SBOMs have benefits beyond making it easier to monitor vulnerabilities related to application components. SBOMs can also increase awareness and understanding of risks associated with project dependencies and highlight the importance of managing vulnerabilities outside the development team.
FOSSA summarizes the survey with six points:
- The presidential order has had an effect.
- Software supply chain security requires multiple solutions.
- Security is not the only benefit of SBOM.
- It is still early in the development phase for SBOM.
- Machine readability and dependency depth are the most important needs for SBOM.
- “Open Source” is everywhere.
This article suggests that the use of SBOMs is increasing and that the future prospects for an industry-wide standard for SBOM are promising. However, there are still shortcomings regarding format, frequency of regeneration, and depth of dependency trees. Some of these issues can be attributed to the fact that the SBOM concept is still relatively new.
Short bio: Martin Gilje Jaatun is a Senior Scientist at SINTEF Digital in Trondheim, Norway. He graduated from the Norwegian Institute of Technology (NTH) in 1992, and received the Dr.Philos degree in critical information infrastructure security from the University of Stavanger in 2015. He is an adjunct professor at the University of Stavanger, and is section chair/editor of the Springer Journal of Cloud Computing, associate editor of IEEE Industrial Electronics Magazine, and associate editor of the Journal of Cybersecurity and Privacy. Previous positions include scientist at the Norwegian Defence Research Establishment (FFI), and Senior Lecturer in information security at the Bodø Graduate School of Business. His research interests include software security, security in cloud computing, and security of critical information infrastructures. He is vice chairman of the Cloud Computing Association (Cloud Computing Association), vice chair of the IEEE Technical Committee on Cloud Computing (TCCLD), an IEEE Computer Society Distinguished Visitor, an IEEE Computer Society Distinguished Contributor, and a Senior Member of the IEEE.