The benefits and challenges of SBOMs
Open source is fundamental to modern software development. Although open source code and reusable components have simplified development, they have also revealed a critical lack of visibility: organizations are unable to accurately record and summarize all the software they produce, consume, and operate. Without visibility, software supply chains are vulnerable to security and compliance risks.
Software Bills of Materials (SBOMs) improve visibility in the software supply chain. With recent supply chain attacks, such as SolarWinds in 2020 and Kaseya in 2021, organizations and governments are increasingly aware of the importance of software supply chain security. President Joe Biden signed an executive order in May 2021, for example, which states that all vendors responsible for providing software to federal agencies must provide an SBOM.
Gartner predicted that 60% of critical infrastructure software organizations will enforce and standardize SBOMs in their software engineering practices by 2025, up from less than 20% in 2022.
Here’s what software engineering managers need to know about integrating SBOMs throughout the software delivery lifecycle (SDLC) to support secure software development.
What are the benefits of SBOMs?
SBOMs help organizations determine if they are susceptible to previously identified security vulnerabilities in software components, whether those components are developed in-house, commercially purchased, or open source software libraries. SBOMs generate and verify information about code provenance and component relationships, which helps software engineering teams detect malicious attacks during development and deployment.
For example, a zero-day vulnerability in Apache Log4j was identified in the widely used open-source Java logging library in December 2021. Once the vulnerability was discovered, security officials had to work quickly to identify applications using the library. infected. Organizations with SBOM had reduced response times due to its ability to map applications to vulnerable dependencies.
SBOMs also increase efficiency by connecting open source and third-party software. Although each organization uses the same components, each organization searches for vulnerabilities and analyzes compliance risks separately. The common SBOM infrastructure and data interchange format could save companies time by creating greater collaboration between organizations.
What are the challenges of adopting SBOMs?
The sharing and standardization of data exchanges have influenced the success of SBOMs because they provide the greatest value when all players in the supply chain adhere to the same standards. However, achieving this consensus may take some time due to the volume of software and tools already in use or emerging.
Another challenge to consider is the role of adaptability. SBOMs are not static documents. Each new version of a component must include a new SBOM. There is a huge risk in releasing and consuming new components without corresponding SBOM changes. SBOM generation and management tools are essential for widespread adoption because they help organizations integrate SBOM functionality into software development, packaging, and release activities.
Additionally, SBOM build tools rely on discovery of dependencies that can be queried through package managers. This can give a false impression of completeness, as developers can extract precompiled binaries or raw code into their codebases. Software engineering teams should avoid confusing deep layer SBOMs with full SBOMs. To ensure full transparency, SBOMs should enumerate components as deep into the dependency graph as possible. SBOMs can also provide hierarchical information, where each component of the SBOM has its own SBOM.
SBOMs will see increased adoption in critical infrastructure and human life, such as energy, utilities, healthcare, manufacturing, telecommunications and government. The most immediate impact will be felt in the public sector. This is especially true in US federal departments and agencies, where NIST guidelines require vendors of software products and services to support SBOMs using standard data formats. Software engineering leaders who adopt and integrate SBOMs throughout the SDLC will reap the benefits of increased visibility, transparency, and security, especially as the use of open source code continues to increase.
About the Author
Manjunath (Manju) Bhat is vice president of research at Gartner, covering practices, technologies, and tools related to DevOps, site reliability engineering, cloud, automation, software engineering, and open source software source.