In the past year, more and more businesses have been hacked, causing massive disruptions to supply chains everywhere. These outages didn’t care what sector a business was in—they were ruthless no matter who they targeted. Thus, not only were supply chains halted, but businesses lost both income and the confidence of consumers.
What is a Software Bill of Materials?
Let’s make this easy. Say, for instance, your c level contact list developers are working on a containerized application that will completely revolutionize how your business functions. Your software engineers base this new project on an image they’ve either created or pulled down from DockerHub.
The big question is this: What’s in that image? Do you know every application, dependency, and library? And, more importantly, are those included pieces free from vulnerabilities? That’s something a Software Bill of Materials can help you answer.
Effectively, a Software Bill of Materials is a list of everything found in an operating system, image, or platform. With this in hand, you are better prepared to either know what you’re working with or can better answer when a third party comes to you wanting to know if what you’ve developed is secure from the ground up.
Without that information, you really can’t answer. Sure, you can confidently say, “The software we’ve built in-house is secure,” but you can’t apply that to the images and libraries your projects depend on. These SBOMs can be used for things like pre-IPO or M&A due diligence, customer requests, and government regulations.
Benefits of SBOMs
The benefits of SBOMs are one of the disputed issues in academic! many, including:
- Deeper transparency, which generates loyalty and trust.
- Tighter security.
- Supply chain resiliency.
- Lower costs.
- Less bloat in software code.
- Better software/project end-of-Life management.
- Improved compliance.
The above list alone should have you wanting to start your journey with SBOMs.
How do Create a Software Bill of Materials?
This will depend on what you’re using and your needs. But it’s important to understand that your SBOMs aren’t just for internal use. If you create something (especially if it’s under an open-source license), you should be willing to share the SBOMs with other developers and/or companies. You might even find yourself in a situation where a government entity requests your SBOM.
So how do you generate one? Let’s take buy lead a look at 2 different use cases and how an SBOM can be generated.
Let’s start with a use case that has your developers basing a product on Ubuntu Linux 20.04. You need to know every single package installed on the base operating system, so you can then, in turn, audit those packages to make sure they don’t contain vulnerabilities.
