SBOMs should be a security staple in the software supply chain The common analogy when talking about software bills of materials (SBOMs) is the list of ingredients found on food packages that lets consumers know what is in the potato chips they're about to eat. Likewise, an SBOM is an inventory of the components in a piece of software, a crucial tool at a time when applications are a …
The SBOM will just wind up being another checklist item. Something that someone on the team will have to fill out to satisfy a "requirement". Good programmers who do security properly will see no change to their work except having to fill out a form. Bad programmers will see no change to their work except having to fill out a form.
Liability is the answer: Make someone somewhere pay damages if the software is insecure, and then you'll start to see changes.
Really? It's more like "The idea of an SBOM has been sadly neglected in recent years".
It seems that modern software developers have forgotten or maybe never learned, that a SBOM (whether formally called that or something else) has been an essential component of effective software configuration management schemes for decades, but ignorance of the past is no excuse.
I think the rush to develop products based on pre-existing components that aren't under the control of the developer has pushed the industry into a very bad place.
Still, maybe suppliers of free software can now make a bit of money maintaining and selling the BOM info.
Exactly. We were maintaining an SBOM for our product since it began development circa 2010 (</whippersnapper>) and this was a required artefact when we delivered evaluation units to $US_DEFENCE_PRIME a few years later. In that case the focus was mostly on understanding licencing of the various components, but still - knowing what you're using is not a new concept.
OMFG. All three of these SBOM formats look nightmarishly complex, and only SPDX lets you use plain text; the others require JSON or XMLish, both of which add needless complexity.
If you want to know more ...
SPDX: https://github.com/spdx/spdx-spec/blob/development/v2.2.2/examples/SPDXTagExample-v2.2.spdx
CycloneDX: https://cyclonedx.org/use-cases/
SWID: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf
Yes, and converting from some sufficiently-regular "plain text" collection of information to JSON and XML, or vice versa, is something that can easily be scripted. If someone's "plain text" summary of their dependencies can't easily be converted, then it's probably not useful for any real-world purpose anyway.
Really, if you have more than a handful of dependencies on external components, this information should be in a database anyway, in which case generating CycloneDX, say, is trivial.
"SBOMs by themselves are not a silver bullet," he said. "We have to understand what they are good at and where they are less useful. They are good at helping you understand the components that go into your software. They are much less useful for actually improving the security profile of those components."
So, in short, it's still up to the companies.
And they did such a sterling job before amirite? Surely, all that held their heroic struggle against ITSec threats back was the lack of yet more data formats that will be automated away somewhere in the build chain.
Quote: "....Having no standards is a problem...."
(1) Yup...."standards".....a word used to refer to technical matters.....link: https://www.ansi.org/
(2) Then there's ethical standards: one example of lack of same......link: https://www.theregister.com/2023/03/04/dhs_secret_service_ice_stingray/
Isn't a real pity that the SBOM debate is about item #1?...............and no one seems to complain about item #2 (you know....Snowden revelations, Stuxnet, Cisco backdoors...........)
"Log4j is used in the vast majority of software," ArmorCode's Lambert said
That hissing is the sound of someone's credibility rapidly evaporating.
Log4j is a Java component, and Java doesn't represent a majority of existing software, much less a "vast" majority of it. What an idiotic thing to claim.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
