What is in an SBOM and why you need them more than ever


Congress first emphasized the importance of cyber supply chain transparency when it passed the Cyber Supply Chain Management and Transparency Act of 2014. Considering that most lawmakers don’t seem to understand how TikTok works, it’s a little surprising that they managed to establish any reasonable guidelines.


When a software supply chain attack gave hackers access to data managed by several federal agencies, it took an executive order to change how those agencies chose software. According to the executive order, the federal government can only use software that comes with a software bill of materials (SBOM).


The change should help improve security within the government while encouraging more businesses to adopt similar requirements. Still, it’s easy to imagine a lot of people asking, “What is in an SBOM?” The following article will answer that question and identify the basic information that every SBOM should contain.


Are you looking for a secure way to distribute software packages throughout your IT ecosystem? Sign up for a free trial with Packagecloud.


What is in an SBOM, and how does it improve security efforts?

Every cybersecurity professional needs to learn about what is in an SBOM. SBOM stands for “software bill of materials.” The document provides a list of open source and proprietary components used to build software. When developers can see all of the components that software contains, they can avoid known vulnerabilities that threaten their organizations’ cybersecurity.


By reviewing the components, you can find code that hackers use to commit software supply chain attacks. With a software supply chain attack, hackers insert malicious code into software in hopes that it will eventually reach a valuable target. For example, the attack that led to President Biden’s executive order started by adding malicious code to a product developed by FireEye. The hackers waited until agencies like the Department of State, Department of the Treasury, and Department of Defense started using the software. From that moment, they had access to networks containing sensitive information.


What is in an SBOM? Ways to improve transparency

It’s critical to note that an SBOM does not prevent software developers from adding compromised components to their products. Instead, it provides the transparency potential clients need to determine whether any of the components present threats to their security. Finding a compromised component doesn’t always mean you will avoid a piece of software. Depending on the threat, you could determine that your security team can manage potential problems easily. If you don’t know about the threat, though, you cannot prepare for it.


What role do SBOMs play in cybersecurity?

An SBOM document needs to contain at least three minimum elements to meet the federal government’s requirements:

  • Data fields

  • Automation support

  • Practices and processes


Do you need a simple, secure way to distribute packages to all of the machines in your IT ecosystem? Start a free trial with Packagecloud to see how the platform can make continuous integration and delivery easier than ever.


Data fields

What is in an SBOM data field? The baseline information that developers need to know about software components. Before you can sell software to the federal government, your SBOM must include the following data fields:

  • Supplier name: The name of the organization or person who creates and identifies the software’s components.

  • Component name: The name of a software unit as reported by the original supplier.

  • Version of the component: The version of the component used in the software.

  • Other unique identifiers: Look-up keys and other information developers might need to identify a component.

  • Dependency relationship: Information about relationships between the component and other pieces of software.

  • Author of SBOM data: The name of the organization that created the component’s SBOM data.

  • Timestamp: The time and date the SBOM data was assembled.


Automation support

It’s impractical to think that security experts can comb through SBOMs manually to spot compromised components. Even a team of security experts can’t remember every piece of malicious code. Automation support helps them spot potential problems. Success depends on choosing the right data format.


What is in an SBOM data format that supports automation? Currently, the data formats used to create and read SBOMs include:

As long as SBOM documents conform to these standards, security specialists should know how to review the software component and vulnerabilities.


Practices and processes

Do you know what is in an SBOM practice or process? It’s an accepted approach to maintaining document accuracy throughout an application’s life cycle. Some of the most important practices and processes acknowledged by the Department of Commerce and the National Telecommunications and Information Administration include:

  • Frequency: Updating information when releasing software updates or learning about component vulnerabilities.

  • Depth: Including all top-level components and their dependencies.

  • Known unknowns: Sometimes, developers know that they do not know something about a component. What is in an SBOM’s approach to showing this? Listing the known unknowns so no one feels unrealistically confident.


SBOM requirements have plenty of room for growth. Knowing the minimum requirements of what is in an SBOM is just the beginning. The future will probably include more data fields, vulnerability lists, security scores, and other information in the near future. If you can include them now, you will position yourself as a trendsetter that emphasizes transparency and security.


How Packagecloud can help

Packagecloud is a cloud-based service that makes it easy to distribute packages throughout your IT ecosystem without investing in expensive infrastructure. The platform can also improve your cybersecurity efforts by scanning code for supply chain poisonings, trojan-horse attacks, and other vulnerabilities. In fact, it’s the first platform in the industry to support the SBOM framework. Now, you don’t need to worry that you will accidentally include known vulnerabilities in your software updates.


Packagecloud adds further security to your network by giving you a hosted, private repository. Unlike services that use public repositories, you know that you can rely on Packagecloud to pull packages from a safe, controlled environment.


See how Packagecloud can help you implement SBOM frameworks and improve your security by signing up for a free trial.

You might also like other posts...