Software composition analysis (SCA)
Software bill of materials (SBOM) is the list of components that conforms a given software.
SBOM management should be part of the software development lifecycle (SDLC).
SBOM may be compound by:
- Custom code
- Third-party commercial software
- Third-party free and open source (FOSS) software
Uses of SBOM
We can use SBOM in the following scenarios:
- If you are a software supplier or vendor, you should have an SBOM to identify possible vulnerabilities and report them to customers and regulators
- If you are a software customer, you should require SBOMs to your software suppliers to ensure there are no vulnerabilities
SBOM Standards
SBOM standardes
- SPDX
- CycloneDX
SPDX
SPDX is an open standard that provides a common format for companies and communities to share important SBOM data.
CycloneDX
Legal Requirements for SBOM
European Union Cyber Resilience Act (CRA) requires a SBOM.
You can read more about CRA on this post.
SBOM Courses
The Linux Foundation offers some courses about SBOM:
SBOM Compliance
The executive order on improving USA cybersecurity of May 2021 requires that software provides a SBOM. You can read more about this on this external link.
You might also be interested in…
External References
- Matthew Brady, Karel Kohout, Martin Schleicher; “Demystifying SBOMs: Navigating Legislation and Processes“; Synopsis, 2024-01-30