Software Bill of Materials
(SBOM)

For companies selling software products today, creating a software bill of materials (SBOM) isn’t just a good idea – it could soon be the law.

In 2022, an Executive Memo (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) expanded on 2021’s Executive Order 14028 (Improving the Nation’s Cybersecurity).

According to the 2022 memo, federal agencies may now require SBOMs for critical software. The memo also identified SBOMs as the preferred method for demonstrating compliance with National Institute of Standards and Technology (NIST) standards.

What Are SBOMs and Why Do They Matter?

SBOMs are a standardized, machine-readable inventory of software components and dependencies. They’re designed to track the details and supply chain relationships of software components, their dependencies, and their hierarchical relationships. 

SBOMs provide transparency into the components that make up software. When all the component “ingredients” that make up an application’s code are known, businesses can quickly identify impacted applications when one of those components is found to have a vulnerability.

Supply chain compromises, including 2019’s SolarWinds attack, created urgency around potential supply chain threats. President Biden tasked NIST with developing a plan to protect the software supply chain as a critical component of the country’s cybersecurity posture.

 

Today, SBOMs may be required by federal executive agencies for critical software. To comply with the recent executive order and executive memo, these SBOMs must:

  • Use one of the data formats included in the NTIA’s Minimum Requirements for an SBOM
  • Provide a full list of transitive dependencies
  • Provide a list of “known unknowns” if the full list of transitive dependencies cannot be generated
Software bill of materials - inventory of software components and dependencies.

Guidance by the NTIA indicates that repository integration can provide a path to automating SBOM generation and updates: “SBOM data could be created and stored in the repository of the source. … an update to the underlying source should, in turn, create a new SBOM.”

 

White Paper – The Importance of SBOMs in Protecting the Software Supply Chain

What is included in the SBOM produced by Mend SCA?

 
Mend SCA enables you to quickly and easily generate SBOMs that:

  • Identify all open source libraries
  • Track and document each component, including direct and transitive dependencies
  • Update automatically when components change
Software bill of materials - generate SBOM with SCA

Mend.io (formerly WhiteSource) effortlessly secures applications without burdening the developers who create them. With over a decade of experience helping more than 1,000 organizations build next-gen AppSec programs, our technology improves security outcomes while accelerating development.

;