As organizations develop new and more complex software, the software development space has garnered more government attention. The SBOM, or Software Bill of Materials, has emerged as an integral part of software development and supply chain management best practices.
The evolving software supply chain ecosphere is a big topic with more than a few moving parts. Here’s a deeper dive into LTAPod #4, where we explore SBOMs and how they can make software more secure by helping software companies manage risk with greater ease.
The rise of SBOM
“Use of SBOMs has picked up dramatically in the last six months.”
From an infrastructure point of view, a “Bill of Materials” is an inventory listing and explaining all the components used in the building process. Sales teams use these docs to present their products to customers via a template of materials to be used to make the business-friendly solution they need.
SBOMs work similarly for software and are getting increasingly popular (and mandatory) due to the executive order on improving cybersecurity, as more companies look for ways to efficiently consolidate their data in an inventory that provides greater visibility into a software product’s composition.
A way to assess the risks of third-party services in development
For Mark, SBOMs are all about the software that is being consumed in the development process: be it a third-party service or an external dependency being leveraged. As developers may not have access to a third-party service’s code, they must be able to assess the risk by ingesting the bill of materials of that software provider. From there, vulnerabilities can more easily be detected and remediated.
Gaining visibility into commercial software
Most companies use commercial, off-the-shelf tools to manage their internal processes; like Salesforce or Hubspot for marketing, or Cerner’s products for healthcare. With the majority of companies relying on these tools for their day-to-day operations, there needs to be visibility into how they are built. So, while SBOMs may be currently nascent, they will likely become a very important part of the sales process and in the implementation phase—with more buyers requesting SBOMs so they can comply with regulations and better manage their third-party risk.
SBOM: An integral part of the future of the software development landscape
“When you have the government talking about how we need to be focused on SBOMs, it has larger repercussions on what we do day-to-day.”
As more companies grow to rely on different software for their operations, government regulations are on the horizon; and their task forces are hot on the case. US policy makers have emphasized the importance of SBOMs in a world where digitalization and software applications are having a tangible impact on the physical world, most crucially in infrastructure and industry. Moving forward, the SBOM is bound to become a standard software development, implementation and sales practice for all modern organizations.
To learn more about SBOMs and how to find and fix vulnerabilities in third-party and open source software faster, read about Software Supply Chain Security with ArmorCode
