In 2021, the Log4j vulnerability catalyzed the industry to take action to boost the security of open source components. The development community is leading this movement, but governments are also taking notice and writing legislation to regulate how organizations approach software transparency.
Mandating software bill of material (SBOM) requirements has emerged as a key tool for developers to catalog every package, dependency, and library included in an application. The current state of SBOM technology and practices was the focus of Allan Friedman’s All Day DevOps (ADDO) session, titled "The State of SBOM - What's Coming in Standards and Regulations." Friedman, a Senior Technical Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency (CISA), discussed recent global developments in the standards and regulations around dependency management.
Once a niche issue, SBOMs have become central to protecting the software supply chain. Attackers are targeting software supply chains because they represent a soft underbelly of the digital ecosystem — vulnerable points that are often overlooked but can provide significant leverage.
These attacks are difficult to detect and give attackers broad access with minimal effort.
SBOM management is not just a good idea; it's becoming a requirement for doing business. Rules and regulations are emerging that not only require them but also impose significant penalties for noncompliance. For example, the FDA requires manufacturers to provide regulators with an SBOM for any new medical device introduced.
Today, the European Union officially adopted the Cyber Resilience Act, which requires any product with a digital element sold in the EU to have an SBOM that can be made available to national regulators.
When planning an SBOM strategy, it's helpful to distinguish between what is a requirement and what is a standard. Today, there are two competing SBOM formats, SPDX and CycloneDX. Both of these open source tools are widely used and have active user communities, and they are critical for providing a well-structured SBOM.
When it comes to specific requirements for SBOMs, there are several levels of what is being asked. First, organizations need to be able to attest to the existence of an SBOM - being able to say minimally what is in your software. Second, and a little more demanding, is having an SBOM that you can provide to customers or regulators if asked. Deeper still, is the ability to produce an SBOM as part of the consideration phase so customers can have an understanding of dependencies. Finally, the most mature requirement is being able to produce an updated SBOM with each update.
All Day DevOps, now in its 9th year, is the largest DevOps conference in the world, with more than 180,000 attendees each year. You can catch Allan's session on demand here, as well as hundreds of sessions across topics, including Dependency Management, Modern Infrastructure, and AI/ML.