The benefits and challenges of SBOMs
While software bills of material present new challenges for security teams, they offer the benefits of improved visibility, transparency and security.
Open source is fundamental to modern software development. While open source code and reusable components have simplified development, they've also exposed a critical visibility gap: Organizations are unable to accurately record and summarize all the software they produce, consume and operate. Without visibility, software supply chains are vulnerable to security and compliance risks.
Software bills of material (SBOMs) enhance visibility in the software supply chain. With recent supply chain attacks, such as SolarWinds in 2020 and Kaseya in 2021, organizations and governments are growing more aware of the importance of software supply chain security. President Joe Biden signed an executive order in May 2021, for example, that stipulates all vendors responsible for supplying software to federal agencies must provide an SBOM.
Gartner predicted 60% of organizations responsible for critical infrastructure software will mandate and standardize SBOMs in their software engineering practices by 2025 -- an uptick from less than 20% in 2022.
Here is what software engineering leaders need to know about integrating SBOMs throughout the software delivery lifecycle (SDLC) to support secure software development.
What are the benefits of SBOMs?
SBOMs help organizations determine if they are susceptible to security vulnerabilities previously identified in software components, whether those components are internally developed, commercially procured or open source software libraries. SBOMs generate and verify information about code provenance and relationships between components, which helps software engineering teams detect malicious attacks during development and deployment.
For example, a zero-day vulnerability in Apache Log4j was identified in the widely used open source Java logging library in December 2021. Once the vulnerability was uncovered, security leaders had to quickly work to identify applications using the infected library. Organizations with SBOMs had reduced response times due to their ability to map applications to vulnerable dependencies.
SBOMs also increase efficiency by connecting open source and third-party software. While every organization uses the same components, each organization scans for vulnerabilities and analyzes compliance risks separately. SBOMs' common infrastructure and data exchange format could save companies time by creating greater collaboration between organizations.
What are the challenges of adopting SBOMs?
Data sharing and data exchange standardization have influenced the success of SBOMs, as they deliver the greatest value when everyone in the supply chain adheres to the same standards. Achieving this consensus may take a while, however, due to the volume of software and tools that are already in use or emerging.
Another challenge to consider is the role of adaptability. SBOMs are not static documents. Every new release of a component must include a new SBOM. There is a huge risk in releasing and consuming new components without corresponding SBOM changes. SBOM generation and management tools are critical for widespread adoption, as they help organizations integrate SBOM functionality into software development, packaging and release activities.
Additionally, SBOM generation tools rely on discovering dependencies that can be queried through package managers. This can provide a false sense of completeness because developers can pull pre-compiled binaries or raw code into their codebases. Software engineering teams must avoid conflating one layer-deep SBOMs with complete SBOMs. To provide full transparency, SBOMs must enumerate components as deep as possible in the dependency graph. SBOMs can also provide hierarchical information, where each component in the SBOM has an SBOM of its own.
SBOMs will see increased adoption throughout critical infrastructure and human life, such as energy, utilities, healthcare, manufacturing, telecommunications and government. The most immediate impact will be in the public sector. This is especially true in U.S. federal departments and agencies, where NIST guidelines require suppliers of software products and services to support SBOMs using standard data formats. Software engineering leaders who adopt and integrate SBOMs throughout the SDLC will reap the benefits of increased visibility, transparency and security -- especially as open source code use continues to increase.
About the author
Manjunath (Manju) Bhat is a research vice president at Gartner covering practices, technologies and tools related to DevOps, site reliability engineering, cloud, automation, software engineering and open source software.