Code vulnerabilities are growing in frequency and impact. As software is increasingly made up of parts from many different vendors, often referred to as the software supply chain, it can be hard to find and fix them quickly. In one recent example, a software team found an IP vulnerability and had to track down the Fortune 100 company that could fix it via LinkedIn in order to make them aware.

One solution to this problem is to use a software bill of materials (SBOM). Allan Friedman, director of cybersecurity initiatives at the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), who was a Keynote at Sonatype’s recent ELEVATE user conference, shared how critical it is to be transparent in the inner workings of code via an SBOM.

What Is an SBOM?

An SBOM is a series of metadata that describes a software package’s dependency tree. It includes key information like the supplier, version number, and component name. These basic details like these are critical when analyzing software for vulnerabilities, as are rooted in a variety of component parts, as detailed in the flowchart below (Figure 1).

Figure 1: Example SBOM elements

What Is the Value of an SBOM?

Transparency helps markets thrive. For example, food ingredients and labels give people the knowledge they need to make intelligent decisions. Labels don’t guarantee people will eat healthy, but it gives them the information to make healthy eating choices. Similarly, an SBOM won’t automatically solve all security problems, but it does empower teams to solve them faster and easier.

SBOMs can also tell you a lot about a software component. For example, if you see that there are six versions of a package in an SBOM, there’s a high risk that one of them is vulnerable.

The capabilities go beyond (Read more...)