Everyone in an organization plays an important role in ensuring that their products and services are delivered safely to their customers.
Whether you're producing software or hardware, part of the manufacturing process, or anywhere in the software supply chain, being able to inventory the components used is necessary to move toward a goal of holistic security with full traceability.
A bill of materials is an inventory that details all of the components used to build a product.
Most notably, software bills of materials detail all of the software components in an application, along with the associated licenses.
An SBOM, created as part of a comprehensive approach to software composition analysis, is a point-in-time snapshot of the components in a particular software release.
SBOMs have been in the spotlight lately, thanks in large part to the U.S. government's inclusion of SBOMs in the National Cybersecurity Strategy and the EU Cyber Resilience Act's focus on protecting the digital components of software and hardware.
A growing variety of BOMs, in the form of XBOMs, are growing in importance while creating a bit of an acronym maze.
Most commonly, a bill of materials may be available as a software bill of materials, but BOMs are increasingly common for other disciplines, including hardware, machine learning, manufacturing, operations and software-as-a-service.
An eXpanded SBOM. Still used in the context of software, an expanded SBOM, in the form of an XBOM, may provide more information about each component.
Rather than including simply components and licenses, this version of an XBOM includes expanded information about each part, such as who built it, what build system was used, the author, the date and other additional information that supports traceability and the remediation of vulnerabilities.
Each one of these XBOMs has distinct ways to describe the parts included.
As the industry works toward standardized data models that have common attributes, each XBOM will become increasingly useful, both to those organizations that create and maintain it, and to the supply chain partners that consume the XBOM's information.
A comprehensive approach to consuming, creating and distributing XBOMs up and down the supply chain can help reduce security risks posed by vulnerabilities and the licenses associated with each component, can strengthen M&A activity, and can help make IT security digestible for all who do business with you.
Reducing cyber risk with XBOMs requires evaluating how they're used up and down the supply chain.
Ingesting XBOMs from upstream suppliers will help your organization know what vulnerabilities may be present in your builds, along with what licenses you must comply with.
Make your expectations clear to your upstream partners so that you receive the XBOMs you need.
By creating XBOMs for your software, hardware, manufacturing, operations and other initiatives, you'll be able to document the components you use, also providing a clear illustration of how these components relate to the supply chain overall.
XBOMs can be useful tools to help achieve that goal.
Examine processes and procedures to see where the creation, ingestion and distribution of XBOMs may be most useful; evaluate the plans and resources to put in place to make this effort most useful, such as by releasing an SBOM for each new software release, followed by subsequent versions that show the deltas or changes in new builds.
By getting everyone in an organization to focus on the security implications of their roles, your organization can proactively support effective practices, supported by XBOMs..
This Cyber News was published on securityboulevard.com. Publication date: Thu, 11 Jan 2024 15:43:15 +0000