The SBoM (Software Bill of Materials) is getting more and more attention in IT. The arguments for this seem valid; there are many benefits to be gained from an SBoM. Better said there are many benefits to be gained from adopting the SBoM and an SBoM registry. Many times, the content of the conversation about the SBoM is driven from an operational and technical perspective. Less often we see a rationale for the SBoM from an administrative (management) angle. Strange, because precisely from a management perspective, there are many interesting aspects that qualify the implementation of SBoM an agenda-topic for the management. The SBoM enables you to inform your customer needs to manage his own level of security and compliance. This article is intended to promote awareness of the SBoM amongst management.
Context
After two years of the pandemic, the Ukraine situation and the increasing tension in the world, the dynamics and uncertainty in many sectors is very high. Energy transition and explosively rising energy prices, growing attention to the environment and sustainability, scarcity on the labor market and, after the scarcity of chips, there is an increasing (fear of) scarcity of all kinds of products and materials. In these dynamics, many organizations are accelerating digital transformation , and/or renewing their existing IT. This digitization and renewal are further challenged by various security issues. Not unimportant, because an incident can lead to high costs or major damage to Enterprise- or product-reputation. Several elements that feed uncertainty, the need to increase grip, and the need to be able to quickly anticipate (unexpected) on changes or risks.
IT plays a major role in this context, mostly contributing to solutions and the ability to accelerate and become more agile (resilience). However, modern IT also has a downside. IT solutions consist of more and more and smaller components. This increases the challenge of managing all those components and deploying them in an auditable, secure and compliant manner.
What is it: SBoM and CMDB
The SBoM (Software bill of Materials) complements the CMDB, registering details per software component. This could include a version number and a release date, but also whether open-source code was used, and which tools (and versions) were used to design and produce the software. In short, the SBoM is registration that provides insight into the function of the component and enables tracking and tracing throughout the value chain. (Example of detailed explanation of the SBoM: https://ntia.gov/SBoM)
For a technical interpretation, please refer to the article ‘Deep dive into Software Bill of Materials Standards’.
Where to apply: Internal or external use
The SBoM and the CMDB are both tools suitable for internal use. The combined application of the CMDB and SBoM gives an organization more control over the entire IT. In other words, it contributes to insight and grip on the value chain within which the IT components in question are used.
The SBoM, or parts of it, also lends itself to external use. Specifically, the SBoM gives the buyer of Software, IOT-/hardware- component or Digital service insight into what may be important in the context of security and compliance. In the United States, some industries (e.g., healthcare) started to discuss the mandatory application of a (SBoM) label. (Notice: Executive Order 14028, Improving the Nation’s Cybersecurity | NIST). And recently a proposal for a governmental act has been introduced in the EU as well, which will apply to all “smart” and digital products. From children’s toys to software packages. This so-called Cyber Resilience Act will take effect within two years of adoption and is a direct incentive to implement the SBoM.
Notice that there are multiple stakeholders, considering case studies where the SBoM will bring added value:
- Buyer/user: Vulnerability or license analysis
- Users’ common repository: faster search and increased accessibility and transparency
- Administrator: quick and targeted identification of potential risks
- Administrator: quick check for known vulnerabilities
- Administrator/developer: automation and integration
- Manager (Business): less (long) disruptions.
What does it bring: Added value at Enterprise level:
Without being exhaustive, the added value of applying an SBoM and CMDB combination emerges with respect to:
- Continuity: Quick insight and access to (control) data
Instant insight into relevant data for decision-making in the event of threats, incidents and calamities. For example, through an online real-time dashboard. As a foundation for accurate and automated correction of IT configurations. - Requirements for suppliers
The use of third-party services, software and products also raises the question of whether all these services, software and products meet the requirements. Manual (regular) checking is (too) costly and time-consuming. A digitally delivered SBoM therefore seems an important procurement requirement. - Security (risk mitigation)
Cybersecurity is an important incentive to consider SBoM. Increasing IT fragmentation and complexity and the recent examples of Zero-Day vulnerabilities or malware threats fuel this incentive. With the information from the SBoM more appropriate action can be taken and unwanted situations for the customer and own organization can be prevented or minimized. - Open Source and Compliance
Adequate and complete insight into the (re)use of existing (open source) code is not yet self-evident. By providing the Software Supply Chain (pipelines) with the right tools and procedures, it can be registered where and which third-party code has been reused. - Profitability (or efficiency): Zero Day vulnerabilities and other threats are becoming more common. Avoiding unnecessary ad hoc measures, saves the necessary costs and prevents possible loss of productivity.
- Agility/Resilience (Resilience): SBoM details provide insight that allows measures to be used much more effectively and targeted.
On the one hand, you avoid an excess of measures, which makes the organization unwieldy and inefficient. On the other hand, you prevent risks as a result of the omission of measures, simply because the overview and insight are lacking. It may be clear that you become more resilient as an organization by making balanced and relevant choices instead of one of the two extremes.
Important to whom: Business and Customers
In reading the above, perhaps the conclusion can already be drawn. The Business management and the customer (as buyer of software licenses or SaaS) are the biggest stakeholders.
When the IT organization adopts the SBoM, the Business will face fewer disruptions and costs due to vulnerabilities.
As a customer or purchaser of a SaaS service or an application license, you want to know whether the use of these services carries risks. In short, you have questions about what tools (and versions) were used in the realization and what (open source) third-party code was utilized, etc. The Bill of Materials should be included as a matter of course with software and services, just as with food the listing of ingredients and origin. Requiring a digital SBoM when the service is purchased allows the customer to better inform themselves.
Who should act: realization and implementation
The IT department and Procurement seem to be the prime disciplines to start adopting the SBoM.
Procurement by making the delivery of a digital SBoM a condition for the services provided. The SBoM must be digital, provided in an automatically readable and processable standard file format. Not a PDF.
The IT department will have to facilitate the processing and analysis of the SBoM information. And above all, it will contribute to working more efficiently thanks to the information from the SBoM. Where the IT organization has its own software developed and maintained, consideration must also be given to setting up the right tools. It must be prevented that the quality and completeness of an SBoM (register) is and remains dependent on human intervention.
Drafting a Bill of Materials is not new. Outside IT, it has been used successfully for years. It is therefore advisable to look at other sectors and take note of the experience gained there. (For example: How to make BOM with an automated bill of materials software (siemens.com)).
Summarizing
The use of an SBoM (Software Bill of Materials) gives the user insight into details, allowing quicker and more efficient handling of risky situations. Or, on the contrary, prevent the organization from falling into a risky situation due to lack of transparency and detailed information. Legislation (Cyber Resilience Act) is expected to take effect within a few years, where the SBoM will prove to be of great value for Smart and digital products.