The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been advocating for software bills of materials (SBOMs) as a crucial tool to enhance software supply chain security since 2021. This initiative stemmed from the White House’s Executive Order 14028 in 2021 and was further developed with the release of “The Minimum Elements for a Software Bill of Materials (SBOM)” by the National Telecommunications and Information Administration.
Since the release of EO 14028 in May 2021, SBOM adoption has been on the rise. Sonatype reports that three-quarters of enterprises in the United States and the United Kingdom have implemented SBOMs. However, many organizations still face challenges in implementing SBOMs due to issues such as standardizing SBOM formats, ensuring comprehensiveness, and making them actionable.
To address these critical challenges and explore solutions, CISA launched SBOM-a-rama in June 2023. This event brings together practitioners and leaders from government, enterprises, and the community to discuss the state of SBOM implementation. Subsequent SBOM-a-rama events have been held in February 2024 and recently in Denver, Colorado.
Key themes from the latest SBOM-a-rama event in Denver highlighted the importance of automation, transparency, and more. Here are the key takeaways for application security (AppSec) leaders and practitioners:
### Practitioners Emphasize Transparency
Transparency emerged as a crucial benefit of SBOMs discussed by multiple stakeholders at the event. SBOMs provide insight into the components of software, including third-party software, open-source components, and internally developed code. This transparency is vital for enhancing security in critical systems.
James Paolo Caseja, from the Office of the Deputy Assistant Secretary of the Army, highlighted the importance of SBOM adoption for the Army, emphasizing that it provides greater transparency and security. Helen Oakley from SAP emphasized the need for transparency in the artificial intelligence industry, stating that AIBOMs enable transparency and security in AI systems.
Allan Friedman from CISA stressed the importance of transparency from software producers for software supply chain security, questioning how vendors can sell software without knowing its contents.
### Automation Drives Relevance
While SBOMs are recognized as essential for software transparency, discussions at SBOM-a-rama underscored the need for automation in generating, updating, and sharing SBOMs. Olle Johansson from OWASP emphasized that standard formats and automation are key to delivering transparency through SBOMs.
Attendees also discussed the requirements of different stakeholders in SBOM generation and use, highlighting the necessity for automation to make SBOMs actionable and useful, particularly for developers operating in fast-paced DevOps environments.
### Challenges in SBOM Sharing
Speakers at the event raised concerns about the distribution and sharing of SBOMs, noting that it is not as straightforward as desired. Stakeholders need to be specific in requesting SBOMs from third parties and ensure secure sharing practices.
Phil Englert from the Health-ISAC highlighted challenges in distributing SBOMs to health care organizations and emphasized the importance of making SBOMs available and known to consumers. Despite increasing SBOM adoption, there is still confusion among software producers about SBOM requirements and sharing practices.
### Actionable SBOMs for Supply Chain Security
Once SBOM sharing becomes standardized, SBOMs can be made actionable for enhancing software supply chain security. Deanna Medina from United Airlines emphasized that SBOMs enable organizations to track software inventory meticulously, protect against legal risks, and prevent software over-deployment.
SBOMs also facilitate incident response and risk remediation efforts, allowing security teams to quickly identify compromised components and contain risks. Nastassia Tamari from the U.S. Food and Drug Administration highlighted the critical role of SBOMs in risk management for medical devices.
In conclusion, SBOM-a-rama provided valuable insights into the state of SBOM implementation and highlighted the progress made in various areas. While SBOMs are a crucial first step in software supply chain security, they should be viewed as part of a comprehensive risk management strategy. Going beyond SBOMs can help organizations prevent software supply chain attacks effectively.
