What Is a Software Bill of Materials (SBOM)?

5 min. read

A software bill of materials (SBOM) is a complete inventory of components, including metadata such as licenses and versions, that make up a software application. SBOMs provide organizations with a centralized and complete record of details on third-party components, open-source libraries, and software dependencies used in the development of a software application.

Proving a vital element to software security and software supply chain risk management, SBOMs enable organizations to assess risks within third-party and proprietary software packages and resources.

Software Bill of Materials Explained

A software bill of materials (SBOM) is an inventory of all the components — including third-party libraries, artifacts, licenses, scripts, and package versions, as well as dependencies that make up a software application.

As an ingredient list, the SBOM provides transparency into all constituent parts of the software. By documenting every component, from the primary application down to the smallest library, SBOMs offer a clear view into what's running in an environment, ultimately enabling security teams to understand risk, track dependencies, and audit software.

In the context of cloud-native applications, SBOMs play a pivotal role. Microservices architectures, by design, break applications into smaller, independent services. Many of these services often incorporate open-source software packages. In fact, a single OSS package could be propagated across multiple services, potentially thousands of times. Without proper awareness of these components, developers and security teams can overlook vulnerabilities. SBOMs address the challenge by offering a consolidated view of all software ingredients — in-house and third-party.

The primary benefit of SBOMs lies in the rapid response to emerging vulnerabilities they facilitate. When a vulnerability emerges in an open-source package, for instance, an organization with a detailed SBOM can quickly assess their exposure and act accordingly. In the absence of an SBOM, identifying affected areas across the software supply chain might take days or weeks, leaving applications vulnerable to potential attacks.

Who Should Have a SBOM

Every organization engaged in software development, procurement, or deployment should maintain a software bill of materials to enhance security, risk management, and compliance practices.

What’s more, given the pivotal role the SBOM plays in vulnerability management, all stakeholders directly involved with application development processes should be equipped with a comprehensive SBOM.

Software Developers

Developers can use SBOMs to track dependencies, manage open-source components, and ensure that the libraries and frameworks they utilize are up-to-date and secure. An SBOM helps developers identify potential vulnerabilities and prioritize remediation efforts during the development process.

Operations and DevOps Teams

By providing an inventory of software components, an SBOM enables operations and DevOps teams to manage software deployments, monitor for updates and patches, and maintain a secure environment during continuous integration and continuous deployment (CI/CD) processes.

Security Teams

An SBOM aids security teams in vulnerability management, risk assessment, and incident response. It enables them to identify and remediate vulnerabilities in the software stack, determine the scope and impact of security incidents, and plan recovery efforts more efficiently.

Compliance Officers and Auditors

SBOMs facilitate compliance with industry regulations and standards by providing transparency into the software supply chain. Compliance officers and auditors can use SBOMs to verify that organizations adhere to best practices and regulatory requirements related to software components, third-party libraries, and open-source usage.

Software Vendors and Suppliers

Software vendors and suppliers can leverage SBOMs to demonstrate the security and reliability of their products, providing customers with increased confidence in their offerings. An SBOM helps vendors showcase their adherence to industry standards and best practices, which can be a competitive advantage in the marketplace.

Software Customers and End-Users

Customers and end-users benefit from SBOMs by gaining insight into the software components they rely on, making informed decisions about the software they procure, and ensuring that they maintain a secure and compliant environment.

 

What the SBOM Should Include

A software bill of materials typically includes the following for each component of your software application:

  • The name of the software component or library, including version number and release date.
  • A brief description of the component or library, including its purpose and functionality.
  • All license information applicable to that component, including any copyright information or usage guidelines.
  • The name and contact information of the author, supplier, or distributor of the software component.
  • List of all dependencies required for the component or library to work properly.
  • List of patches or updates applied to the component or library, including the date of each patch or update.
  • Any known vulnerabilities associated with the component or library, including Common Vulnerabilities and Exposures (CVE) identification numbers and severity ratings.
  • The name of the entity that generated the SBOM data, including the date and time the data was generated.

The Role of SBOMs in Cybersecurity and Compliance

In 2021, the White House explicitly highlighted software bills of materials in the Executive Order on Improving the Nation's Cybersecurity, emphasizing their importance for managing software security and risk. The order mandates that all U.S. government agencies receive an SBOM for software purchased from vendors.

Various agencies have taken steps to support organizations adopting SBOMs. The National Telecommunications and Information Administration (NTIA) developed a framework for creating SBOMs, while the Cybersecurity and Infrastructure Security Agency (CISA) issued guidelines for using SBOMs to manage software risk. Other organizations and initiatives, such as the Open Source Security Foundation (OpenSSF) and the Linux Foundation, also promote SBOMs as a best practice for software supply chain risk management.

"By 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize software bills of materials (SBOMs) in their software engineering practice, up from less than 20% in 2022," according to Gartner Hype Cycle for Open-Source Software.

Why Is an SBOM Important?

In the above-mentioned Gartner Hype Cycle for Open-Source Software, the data market research firm defined software bill of materials as “the evolutionary response to the demand for transparency and control of third-party, software-related risks.” In other words, widespread OSS adoption has resulted, by necessity, in widespread SBOM adoption.

To maintain a competitive release velocity, organizations prioritize agility and leverage technologies to improve application development efficiency — including third-party components such as open-source code. But because third-party components introduce unique risks and additional complexity into the software supply chain, organizations build SBOMs into their software supply chain security strategies.

SBOM Use Cases

Visibility

SBOMs provide critical visibility into the software supply chain. With a detailed list of all software components — including relevant metadata like open-source licenses and package versions — organizations fully understand all the components that constitute their software.

Security

Providing visibility into the software components used within an organization, the SBOM supports risk assessment and mitigation efforts and contributes to maintaining a secure and compliant software environment. SBOMs help identify vulnerabilities in software applications by surfacing information about third-party libraries and dependencies. This information enables teams to make data-informed decisions about how to best manage their use of software components to align their supply chain strategy with their overall risk tolerance.

Regulatory Compliance

An SBOM facilitates compliance with industry regulations and standards, as it provides transparency into the software supply chain and allows for traceability in the event of a security breach or audit.

Organizations can use SBOMs to get visibility into their open-source software use, which enables teams to proactively identify any relevant open-source package licenses. If a team accidentally uses an open-source package in a noncompliant manner and does not catch it early, that can result in significant remediation costs down the line. But early identification of OSS license noncompliance enables development teams to quickly remediate the issue and avoid the time-intensive process of retroactively removing noncompliant packages from their codebase.

A software bill of materials enables software developers, IT security teams, and other stakeholders to make informed decisions about security risks and compliance, in addition to software development and deployment. Other benefits include:

Vulnerability Management

With a well-maintained SBOM, organizations can efficiently prioritize and remediate vulnerabilities, focusing on those that pose the highest risk to their systems and applications. Security teams can use the information in an SBOM to conduct vulnerability assessments on software components and dependencies. These assessments help teams identify vulnerabilities and better prioritize remediation efforts. Similarly, with improved visibility into their software supply chain, organizations can identify and manage supply chain risks, including those related to open-source software dependencies and CI/CD pipelines.

What’s more, an SBOM assists in streamlining patch management by pinpointing affected components when security updates are released, enabling organizations to apply patches quickly and minimize the window of exposure.

SBOMs & Incident Response

A SBOM supports incident response efforts by helping security teams identify compromised components and understand the potential impact of a breach.

By providing incident responders with visibility into the software stack, offering detailed information about the components within an application or system, security teams can quickly identify not only the affected software components but also their versions, and dependencies. Having this information in hand accelerates the process of determining the scope and impact of the breach, in addition to facilitating a more targeted response.

Knowledge is power. With a clear inventory of software components and their relationships, responders understand the attack vectors that adversaries may have exploited and can discover the root cause of the breach. When the incident originates from a vulnerable component, the SBOM allows security teams to trace the component's origin in the supply chain.

With a comprehensive understanding of the affected components, incident response teams can better plan and execute recovery efforts. The SBOM enables teams to prioritize remediation, apply patches, and restore systems to a secure state more efficiently, minimizing downtime and disruption.

Forensic Analysis

In the aftermath of a security incident, forensic investigators can use the SBOM to reconstruct the sequence of events, identify potential vulnerabilities, and determine the extent of the compromise. A SBOM-guided analysis is invaluable for improving security measures, refining incident response plans, and ensuring compliance with regulatory requirements.

Maintenance

SBOMs help organizations better manage and maintain their software applications. By providing a clear list of all software components and their versions, organizations can more easily identify and manage updates and patches to ensure that software applications are up to date and protected.

SBOMs are important because they help organizations better manage security, compliance, visibility, maintenance, and the risks associated with third-party software components. By providing organizations with granular visibility into all components that make up their codebase, they can make more informed decisions about their software supply chain security posture and risk tolerance.

Related article: Ungoverned Usage of Third-Party Services in the CI/CD Pipeline

Software Composition Analysis and SBOMs

Software composition analysis (SCA) and software bill of materials play complementary roles in ensuring the security and transparency of applications in the software development process.

SCA actively scans and analyzes the components in an application, particularly open-source and third-party components, to identify known vulnerabilities and potential licensing issues. By continuously monitoring for vulnerabilities in these components, software composition analysis helps developers make informed decisions about the components they use and provides actionable insights to remediate any issues found.

The SBOM serves as a transparent record of the application's composition, enabling developers to track dependencies and assess the impact of potential vulnerabilities or licensing issues.

When software composition analysis and SBOMs work together, they create a powerful synergy for securing and maintaining applications. Software composition analysis generates the data needed to populate the SBOM, and the SBOM, in turn, provides a clear and organized view of the application's components. Together, the two functionalities facilitate efficient vulnerability management, as developers can easily trace the origin of any security issue and prioritize remediation efforts based on the SBOM.

How Does an SBOM Help Prevent Open-Source Supply Chain Attacks

Bad actors often exploit vulnerabilities in open-source code components to infiltrate organizations' software supply chains. To avoid breaches and secure their software supply chains, organizations must identify and address potential risks. An SBOM generation tool offers visibility into the software supply chain, but organizations also need to detect and remediate vulnerabilities in open-source code to prevent OSS-based attacks.

Software composition analysis enables teams to scan their codebase for known vulnerabilities in open-source packages. If the SCA solution detects vulnerable packages, teams can swiftly apply patches or update to more secure versions. When no patch is available for a new vulnerability, organizations can use the SCA tool to locate the package's usage in their codebase, allowing engineers to remove and replace it.

Combining software composition analysis with an SBOM generation tool enhances visibility into the codebase and strengthens control over the software supply chain. This integrated approach empowers development and security teams to prevent open-source supply chain attacks and bolster their overall security posture.

In the Event of a Cyberattack

In addition to helping prevent a cyberattack, an SBOM serves as a pivotal asset during a cyberattack. Security teams can leverage the SBOM to quickly identify affected components and assess the potential impact of the attack on the application. By pinpointing vulnerable components and understanding their dependencies, teams can prioritize remediation efforts and efficiently address security issues.

SBOM Formats

The lack of a universally accepted standard format for SBOMs can hinder interoperability between different tools and systems. Organizations must choose or adopt a suitable SBOM format that aligns with their needs and industry best practices while ensuring compatibility with their existing processes and tools.

Common SBOM formats include CycloneDX, CSV, and SPDX.

CycloneDX: CycloneDX is an open standard format for describing software bill of materials data. CycloneDX is a recommended SBOM format because it’s supported across a number of tools and platforms, such as OWASP Dependency-Track, GitHub, GitLab, and JFrog Xray.

CSV: A CSV file is a comma-separated SBOM format that displays SBOM data grouped by component type such as open-source packages and container images.

SPDX: The Software Package Data Exchange (SPDX) format is a widely used open standard format that’s maintained by the Linux Foundation.

Using an open standard format for your software bill of materials, such as CycloneDX or SPDX, can help facilitate interoperability across tools and platforms.

Organizations can also use Software Identification (SWID) tags as a form of SBOM. While SWID tags are not a distinct format of SBOM, they can be used to produce the same kinds of information that more traditional SBOM formats display. For example, organizations can use SWID tags to describe a wide range of components, including operating systems, applications, and libraries.

Challenges with SBOM Creation and Maintenance

Creating and maintaining a SBOM presents challenges. To manage the complexity and scale of software components — including open-source libraries, third-party tools, and proprietary code — requires significant effort.

Depth of Information

SBOMs must be comprehensive, which can prove challenging when tracking an inventory across diverse environments. Along similar lines, SBOMs could lack sufficient depth of information about the extent of potential damage or exploitability of identified vulnerabilities. In some circumstances, DevSecOps teams will need to supplement SBOMs with additional vulnerability assessment and risk analysis techniques.

Inflated Reports

Automated SBOM generation tools may produce false positives, inaccurately flagging components as vulnerable or including components not present in the production environment. Organizations need to verify the accuracy of generated SBOMs and filter out any irrelevant or incorrect information, which may cause fatigue.

Version Control

Software components are frequently updated, with new versions introducing bug fixes, security patches, or additional features. Maintaining an SBOM requires continuous monitoring and updating to reflect these changes and ensure that the most recent and secure versions of components are documented.

Data Privacy and Security

SBOMs may contain sensitive information about an organization's software stack and its potential vulnerabilities. Safeguarding this data and ensuring that access to it is restricted to authorized personnel is essential to prevent unintended disclosure of sensitive information.

Automated Tooling and Integration

While automated tools can help streamline the process of generating and maintaining an SBOM, integrating these tools into existing development and deployment pipelines may present challenges. Organizations must ensure compatibility with their existing toolsets, workflows, infrastructure, and security policies.

Software Bill of Materials Best Practices

When adopting an SBOM generation solution, organizations need to establish a set of best practices to ensure that they’re fully benefiting from the visibility, security, and compliance benefits of SBOMs. Organizations should ensure that their SBOM strategy incorporates the following best practices:

Generate SBOMs Frequently

Whenever proprietary software has a new release, a supplier shares new information about a component, or another stakeholder identifies an error in the SBOM, the organization must generate a new SBOM.

Generate In-Depth Information

At minimum, an SBOM must inventory all the main software components and list transitive dependencies. However, it’s recommended to seek an SBOM generation solution that goes into deeper layers of dependencies to provide comprehensive visibility into the software supply chain.

Account for Tampering Risk

To find evidence of tampering, compare SBOMs generated before and after deployment. This practice helps provide the validity and reliability of information stored in an SBOM.

Avoid Risky Assumptions

Assume that an SBOM does not represent the complete dependency graph, unless otherwise stated. SBOMs may have incomplete or inaccurate information and teams need to consider that fact as they work with SBOMs.

Maintain Data Availability

Procedures must be established to ensure that SBOMs are delivered to relevant stakeholders promptly and with proper permissions.

Establish Access Control

Some, but not all, organizations may be comfortable sharing SBOM information publicly. If organizations prefer to restrict access to data, they will need to establish access control procedures via licensing, contracts, or another mechanism with their stakeholders.

SBOM FAQs

The creation and maintenance of an SBOM are typically the responsibilities of software developers, security teams, and operations teams within an organization. Developers initiate the SBOM by documenting components used in the software, while security and operations teams collaborate to keep it updated, reflecting changes in dependencies, versions, and vulnerability statuses throughout the software lifecycle.
An SBOM is created during the software development process, as developers identify and document components, dependencies, and versions. Changes and maintenance occur throughout the software lifecycle, including during updates, security patches, and the addition or removal of components. Regular updates are crucial to ensure the SBOM accurately reflects the current software stack, vulnerabilities, and risk assessments.
Tools that can translate between different SBOM formats, such as SPDX, CycloneDX, and SWID are available. One such tool is OWASP Dependency-Track, which supports importing and exporting various SBOM formats. Tools like this aid in achieving interoperability between different systems and processes within an organization or across organizations in a software supply chain.

While it is not common for a single organization to actively use multiple SBOM formats for their internal processes, certain scenarios may require them to work with different formats. For example, when collaborating with external partners or suppliers in a software supply chain, an organization may encounter different SBOM formats used by these entities. In such cases, organizations may need to translate or convert between formats to ensure compatibility and maintain effective communication throughout the supply chain.

Selecting and adopting a single SBOM format internally that aligns with industry best practices and the organization's requirements can help streamline processes and reduce complexity.

SBOMs do not require source code disclosure. They primarily document the inventory of software components, their versions, and dependencies within applications or systems.
DevSecOps is the integration of security practices within the DevOps process. It aims to embed security in every part of the software development lifecycle. By shifting security left, DevSecOps ensures that security considerations are addressed from the inception of a project, rather than being an afterthought. This approach promotes collaboration between development, security, and operations teams, leading to faster, more secure software releases.
Exploitability refers to the ease with which an attacker can exploit a vulnerability in a system or application. It's a measure of the feasibility and impact of a potential attack. Factors influencing exploitability include the availability of exploit code, the complexity of the exploit, and the potential for automated attacks. High exploitability indicates that a vulnerability can be readily exploited, posing a significant risk.
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. It provides support for open-source communities through financial and intellectual resources, infrastructure, services, events, and training. The foundation hosts several prominent open-source projects, ensuring their sustainability and promoting open standards.
The Open Web Application Security Project (OWASP) is a nonprofit organization focused on improving software security. It's renowned for its Top 10 list, which highlights the most critical web application security risks. OWASP provides tools, methodologies, documentation, and educational resources for developers, security professionals, and organizations to enhance the security of their web applications.
A codebase refers to the collection of source code used to build a particular software application or software component. It encompasses all the versions, branches, and configurations of the code. In modern development practices, codebases are typically managed using version control systems like Git, which track changes, facilitate collaboration, and ensure the integrity and consistency of the code throughout its lifecycle.
An open-source component refers to a software module or library that is released under an open-source license. This means its source code is publicly accessible, allowing developers to view, modify, and distribute it. While these components accelerate development and reduce costs, they can introduce security vulnerabilities if not properly vetted or kept up to date. Integrating them requires rigorous security assessment and continuous monitoring to ensure they don't compromise the integrity of the larger application or system.
A risk base refers to the foundational set of criteria used to assess and prioritize risks within a system or organization. It encompasses the methodologies, metrics, and thresholds that guide risk evaluation. In a security context, a risk base helps organizations identify vulnerabilities, threats, and their potential impacts, enabling them to allocate resources effectively and implement appropriate countermeasures based on the severity and likelihood of each risk.
The National Telecommunications and Information Administration (NTIA) is an agency within the U.S. Department of Commerce responsible for advising the President on telecommunications and information policy issues. NTIA's roles include managing federal spectrum use, advocating for U.S. interests in global communications discussions, and supporting broadband access and adoption. In the context of cybersecurity, NTIA has been involved in initiatives related to enhancing the security and resilience of the internet and communications infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) is a U.S. federal agency under the Department of Homeland Security (DHS) established to safeguard the nation's critical infrastructure from physical threats and cyberthreats. CISA provides comprehensive cybersecurity tools, incident response services, and assessment capabilities to protect the .gov domains and enhance the security and resilience of the nation's critical infrastructure sectors. CISA collaborates with other federal agencies, state and local governments, and private sector partners to enhance the nation's cybersecurity posture.
Executive Order 14028, titled "Improving the Nation's Cybersecurity," was issued by the U.S. President in May 2021. It aims to strengthen the federal government's cybersecurity posture by modernizing cybersecurity standards, enhancing software supply chain security, and implementing a Zero Trust architecture. The order also mandates the development of a standardized playbook for incident response and emphasizes the importance of threat intelligence sharing between the public and private sectors. It underscores the federal government's commitment to partnering with the private sector to secure critical infrastructure against evolving cyberthreats.
Log4j is a Java-based logging utility widely used in enterprise applications. In late 2021, a critical vulnerability, often referred to as "Log4Shell," was discovered in Log4j version 2. This vulnerability allowed remote code execution, making systems susceptible to unauthorized access and data breaches. Given its widespread adoption, the vulnerability had significant implications for global cybersecurity, prompting immediate patching and mitigation efforts across industries.
The National Institute of Standards and Technology (NIST) is a U.S. federal agency under the Department of Commerce responsible for developing and promoting standards and best practices in domains that include cybersecurity. NIST's cybersecurity framework and publications, such as the Special Publication (SP) 800 series, are globally recognized and adopted by public and private sectors to enhance their cybersecurity postures and resilience against cyberthreats.
Third-party components refer to software libraries, modules, or tools developed outside an organization's internal development team. Developers integrate these components into applications to expedite development, add functionalities, or leverage specialized capabilities without building them from scratch. While they offer efficiency and cost benefits, they can introduce vulnerabilities if not properly vetted or maintained.