If you’ve worked in engineering or manufacturing, you’re already familiar with a bill of materials, or BOM: “a list of all the parts needed to manufacture a specific product – from raw materials to subcomponents and everything in between, along with quantities of each one needed to correctly finish that product.”
In the cyber world, a Software Bill of Materials or SBOM is essentially an ingredient list for software, detailing every component, library, and module that makes up a software product. The detailed inventory provided by an SBOM lists all software components and dependencies used in a particular product or system, including those contributed by third-party suppliers and vendors. An SBOM acts as a critical element in risk management and governance; each binary component can be thoroughly assessed, and everything is accounted for. Because SBOMs catalog and verify information about code provenance and the various relationships between components, software engineering teams are better equipped to detect malicious attacks during development and deployment or quickly resolve them before chaos ensues.
Full transparency of all the “ingredients” in software—including source and progeny—is vital, particularly in the realm of cybersecurity, where the landscape is always changing, and new vulnerabilities are always popping up. This is particularly important given that open-source software (OSS), which is constantly being updated, is increasingly utilized across government, industries, and private companies. Information from the annual survey in the Synopsys Open Source Security and Risk Analysis Report indicated that of 1,067 commercial codebases surveyed, 96% contained open-source components, meaning it is not a “closed door” environment and could be more easily compromised. In addition, 84% of these codebases had at least one known open-source vulnerability and 53% contained license conflicts.
Understanding what's in the software you deploy is analogous to checking a food label. According to a McKinsey article: “An SBOM is like the nutritional label on a cereal box—it lists the ingredients inside, highlighting content that may be harmful to some, such as gluten and peanuts. In the world of IT, an SBOM is a formal, machine readable inventory of software components and dependencies (which result from combining various OSS components, third-party code, and code developed in-house), technical information about those components, and the code’s “hierarchical relationships.” In short: Know what’s in your food. Know what’s in your software.
The need for SBOMs has surged alongside the proliferation of open-source software, which is here to stay. “Open source,” however, is more open than even the name suggests; because it’s free and able to be used as a building block, it is not a closed loop, making it more open to malicious actors and requiring greater vigilance in terms of constantly updating the different versions.
Vivek Bhandari, VP of Product Marketing for Tanium, explained that open-source components have fueled unprecedented innovation and productivity in software development. Developers can now "pick and assemble" components, much like choosing ingredients for a recipe, integrating these into custom applications. However, with this ease and flexibility comes the heightened risk of vulnerabilities sneaking into the software supply chain. SBOMs “improve the visibility, transparency, security and integrity of proprietary and open-source code in software supply chains.”
SBOMs have become more widely recognized as vital in cybersecurity since May 2021, when the Biden administration emphasized SBOMs in an executive order as a wake-up call for organizations to boost their cybersecurity and enhance software supply security. Of particular emphasis in that executive order, in response to Solar Winds and later Log4j exploits, was the mandate to enhance software supply chain security, and, more specifically, the introduction of the Software Bill of Materials.
Because software packages include extensive third-party components, the federal government mandated SBOMs with the National Telecommunications and Information Administration (NTIA) outlining the minimum elements that must be included. These elements are split into three categories: data fields, automation support, and practices and processes. Knowing the source of each component makes it easier to identify and mitigate potential security risks and leads to greater resilience. The U.S. government now requires all their software suppliers to provide SBOMs for their products. With this mandate in place for federal contracts, businesses and industries are also requiring an accounting of all components. The rising importance and implementation of SBOMs may also impact brand reputation, customer trust, and competitive advantage for software vendors, which will have additional impact on market trends.
Due to the increasing use of open-source libraries and third-party code in today’s software products, organizations with SBOMS had reduced response times when vulnerabilities were detected. For example, a zero-day was identified in the widely used open source Java logging library in December 2021. Once the vulnerability was uncovered, security leaders had to quickly work to identify applications using the infected library. Organizations with SBOMs had reduced response times due to their ability to map applications to vulnerable dependencies.
Data sharing and data exchange standardization have influenced the success of SBOMs, as they deliver the greatest value when everyone in the supply chain adheres to the same standards. Achieving this consensus may take a while, however, due to the volume of software and tools that are already in use or emerging.
Another challenge comes with adaptability, as SBOMs are not static documents. Every new release of a component must include a new SBOM, and there is a huge risk in releasing and consuming new components without corresponding SBOM changes. However, it’s predicted that those software engineers who adopt and integrate SBOMs into their best practices will also reap the benefits of those practices including increased security.
Governments and regulators have become increasingly concerned about software supply chain security with vulnerabilities like Log4Shell and the enormous breach of Solar Winds in 2020, prompting President Biden’s May 2021 executive order, followed by the U.S. Senate’s introduction of a bill for the Securing Open Source Software Act of 2022 in September of that same year.
SBOMs play a crucial role in supply chain security. According to Doug Dooley, writing for Devops.com, recent large-scale supply chain attacks have highlighted the need for SBOMs “as a proactive and preventive measure,” and greater adoption of SBOMs has been influenced by “customer demands and market pressure.”
SBOMs will see increased adoption throughout critical infrastructure such as energy, utilities, healthcare, manufacturing, telecommunications and government. The most immediate impact will be in the public sector. This is especially true in U.S. federal departments and agencies, where NIST guidelines require suppliers of software products and services to support SBOMs using standard data formats. Software engineering leaders who adopt and integrate SBOMs throughout the software development lifecycle (SDLC) will reap the benefits of increased visibility, transparency, and security -- especially as open-source code use continues to increase.
According to a new survey, the global SBOM market is projected to grow exponentially, increasing from $ 427.3 million in 2022, to $ 4.24 billion in 2029 with a projected compound annual growth rate of (CAGR) of 31.4% during that period.
While the U.S. government has highlighted the importance of SBOMs, the Cybersecurity and Infrastructure Security Agency (CISA) has also offered guidance that emphasizes the importance of SBOMs for crucial risk management, urging organizations and industries to adopt them to trace vulnerabilities swiftly, understand complex software dependencies, and respond to incidents with speed and agility.
With organizations responsible for their software development chains — proprietary, open-source and third-party code alike — security and risk management leaders are seeking solutions that not only help to mitigate product security risk and supply chain risk, but that shortens time-to-market, automate incident response, and assist with compliance requirements, according to Gartner’s 2022 Innovation Insight for SBOMs Report. “SBOMs represent a critical first step in discovering vulnerabilities and weaknesses within your products and the devices you procure from your software supply chain,” write report authors Manjunath Bhat, Dale Gardner and Mark Horvath. SBOMs allow organizations to “de-risk” the vast amounts of code they create, consume, and operate.
According to Gartner, by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice. That reflects an increase of roughly 20% compared to 2022. Additionally, the Linux Foundation Research team revealed that 78% of organizations expect to produce or consume SBOMs in 2022 — up 66% from 2021.
Looking ahead, the SBOM landscape is also poised to evolve with advancements in AI and machine learning, potentially predicting and mitigating risks before they emerge. It could be an exciting time with SBOMs at the forefront of the cybersecurity evolution. SBOMs serve as a critical tool, empowering and enabling organizations to make informed decisions about their software components, leading to the construction of more secure, compliant and resilient products and services.
In both public and private sectors, cyberattacks are now all too commonplace. In the second half of 2022, the number of intrusions against government sectors jumped by 95% when compared to the same period in 2021. It is anticipated that the global economic impact of cyberattacks will rise dramatically from $8.44 trillion in 2022 to $23.84 trillion in 2027.
With this global annual cost of cybercrime topping $6 trillion in 2021, digital products are increasingly under scrutiny for their vulnerability to cyberattacks.
To address this, on September 15, 2022, the European Commission published a proposal for adopting regulations on cybersecurity requirements for products with digital elements, also known as the Cyber Resilience Act (CRA). Pointing to various devastating attacks – including the Wanna Cry ransomware worm that exploited 200,000 computers across 150 countries and the Kaseya VSA supply chain attack that affected over 1,500 organizations – the proposal acknowledges that the expanding and borderless nature of attacks means that a wide, international, coordinated governmental response is required, particularly given the global reach of the software market. One major strategy relating to impending reporting obligations stands out for the EU: the importance of a software bill of materials (SBOM) in the CRA. The EU will be expecting due diligence and compliance from manufacturers, developers, and vendors, and SBOMs will be a critical tool in meeting the requirements of the Act.
Based on trends in politics, the history of cybersecurity and our own industry experience, and borrowing from a short list of items seen in a blog from MergeBase, here are some future events that might transpire as SBOMs become more commonplace.
Highly regulated industries will be the SBOM early adopters. Regulators and policymakers are keen to keep vital parts of commercial and societal infrastructure secure.
Other critical infrastructure industries will only adopt SBOM when required. Not every critical infrastructure industry sees an airtight SBOM as a critical business priority, and so we expect that industries like healthcare, agriculture, and energy will not adopt SBOM practices until they must, relying on the precedents set by early adopters.
Crime and Legislation will be the primary drivers of SBOM adoption. Hackers will continue to find new ways to exploit transitive vulnerabilities. Malware agents will continue to test the limits of how much companies will pay to make a problem go away.
SBOM fraud will have its day and stricter regulation will follow. There will always be someone who tries to game the system. If SBOM management becomes the expected norm, eventually, there will be those who wonder, “What corners can I get away with cutting?”
SBOMs, AI and other advances in cybersecurity measures will all help to mitigate cybersecurity issues moving forward. However, training will continue to be invaluable as all these technical solutions cannot be implemented without intelligent human interactions. Training or lack of it will have consequences. Government, education, industry, students, basically all parties to the situation can become part of the solution. For the education market, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.
For industry we continue to work with our partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.
We also work with all our users to create new content which will fit into this rapidly changing cyber landscape. In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.
Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!