Five Tips for Using SBOMs to Boost Supply Chain Security
A Software Bill of Materials (SBOM) is a key cyber defense item — it identifies what’s in your software, applications, and code base so that you can detect and mitigate risk more effectively. This is useful when it comes to application security because companies can only detect and fix vulnerabilities if they know what’s there in the first place. SBOMs give you that visibility. Consequently, SBOMs are now a “must-have” tool for most companies. Unfortunately, “must have” does not necessarily translate to “effective implementation,” without knowing how to proceed, so we’ve put together some top tips to get the most from your SBOM.
1. Analyze your needs.
For many companies, regulatory compliance drives the need for an SBOM. Software supply chain security has become an issue to which numerous international governments and legislative bodies have recently turned their attention. In the U.S.A., for example, the White House Executive Order (EO) 14028 requires federal agencies to get SBOMs from all vendors and supplies, who are mandated to document components and processes, to demonstrate that their code is secure and legally compliant.
Throughout the world, industries handling sensitive data, like healthcare and finance, and any companies conducting mergers and acquisitions, or those trading as public companies, are obliged to be transparent, and this transparency requires the use of SBOMs. Companies from all industries that use or develop, produce, purchase, or operate software and applications will benefit from using SBOMs. SBOMs give them far better visibility and understanding of their software supply chain. They enable companies to check the components of their code base and ensure that they are updated and protected from attacks.
2. Don’t use a wrench when you need a hammer.
SBOMs have a bad rep for being difficult and time-consuming — but the real problem is that many companies are using the wrong tool. Using email and spreadsheets is cumbersome, slow, and prone to human error. And frankly, they can’t keep up with the rapidly escalating volume of components and dependencies that need cataloging. Most tools are not suited for managing SBOMs. Even when they disclose vulnerabilities, they don’t necessarily show how to address them. They may only cover a specific set of programming languages or package managers. Many tools also can’t generate SBOMs automatically in a machine-readable format, and they can’t scale up easily.
If you want to generate SBOMs quickly and reliably, use a tool that’s purpose-built to do so. Look for a tool that reveals all open source libraries, tracks and documents both direct and transitive dependencies, and automatically updates whenever a change is detected in any component. Good SBOM tools also recommend ways to remediate any vulnerabilities that don’t risk breaking your build.
3. Plan for automation and continuous remediation.
The White House executive order requires software inventories to be automatically generated in a machine-readable format, so look for tools that support full automation, particularly if doing business with federal and governmental bodies. Management of your software supply chain is far more efficient and effective when your tool continuously discovers and addresses any risks. It should help avoid harmful components and send alerts when it detects anomalies during development or production. It should also be capable of identifying risks in downstream components.
4. Look for comprehensive coverage.
Your tool should provide an up-to-date and accurate inventory of all your supply chain components that covers all the technology stacks and programming languages that your organization uses. It should also support standard SBOM formats. If your tool isn’t comprehensive, then you could generate SBOMs that do not provide a complete or accurate view of all of your software, components, and dependencies.
5. Keep it simple.
Your tool should be simple to adopt, ideally working within your regular workflow to operate as seamlessly as possible. It needs to be scalable and versatile, so it can handle a growing volume and variety of components and produce low false-positive rates.
