Software composition analysis (SCA)
Software bill of materials (SBOM) is the list of components that conforms a given software.
SBOM management should be part of the software development lifecycle (SDLC).
SBOM may be compound by:
- Custom code
- Third-party commercial software
- Third-party free and open source (FOSS) software
There was an infamous security incident related to SolarWinds where the SBoM was involved.
Uses of SBOM
We can use SBOM in the following scenarios:
- If you are a software supplier or vendor, you should have an SBOM to identify possible vulnerabilities and report them to customers and regulators
- If you are a software customer, you should require SBOMs to your software suppliers to ensure there are no vulnerabilities
SBOM Standards
SBOM standardes
- SPDX
- CycloneDX
SPDX
SPDX is an open standard that provides a common format for companies and communities to share important SBOM data.
CycloneDX
Legal Requirements for SBOM
European Union Cyber Resilience Act (CRA) requires a SBOM.
You can read more about CRA on this post.
USA has the CISA’s Executive Order 14028 defines the National Cybersecurity Strategy. You can read about it on this external link.
SBOM Courses
The Linux Foundation offers some courses about SBOM:
SBOM Compliance
The executive order on improving USA cybersecurity of May 2021 requires that software provides a SBOM. You can read more about this on this external link.
You might also be interested in…
External References
- Matthew Brady, Karel Kohout, Martin Schleicher; “Demystifying SBOMs: Navigating Legislation and Processes“; Synopsis, 2024-01-30