Today’s software packages usually include an extensive number of third-party components. Companies must actively watch and manage each one to preserve security, license compliance, and functionality. As Alex Rybak explained in a previous blog, the idea of SBOMs has been around for a while. Vendors have historically used bills of materials to identify the many pieces that make up their products in supply chain management.
What is an SBOM? What about all those other terms we talk about in the context of SBOM management? Read on as I define some of those key words and phrases to help provide clarity and a one-stop place to refer back to:
- Software Bill of Materials (SBOM): A structured list that enumerates all the components, dependencies, and attributes of a software application. It provides transparency into the software’s composition, aiding in vulnerability management, licensing compliance, and risk assessment.
- Component: A discrete part of software, which can be a library, module, package, or any other unit that contributes to the functionality of the application.
- Dependency: A software component or library that is required for another component to function properly. Dependencies can be direct or indirect.
- Version: A specific iteration of a software component or library, often identified by a version number or a version control system tag.
- Licensing: The legal terms and conditions that dictate how a software component can be used, distributed, and modified. SBOMs help track and manage licenses.
- Vulnerability: A weakness or flaw in a software component that could be exploited by malicious actors. SBOMs help identify and address vulnerabilities in software applications.
- Open-Source: Software whose source code is made available to the public, enabling users to view, modify, and distribute it. SBOMs are crucial for managing open-source components and their licenses.
- Commercial Off-The-Shelf (COTS): Pre-built software components or applications developed by third-party vendors and sold to users.
- Software Bill of Materials Management: The process of creating, maintaining, and updating the SBOM for a software application throughout its lifecycle.
- SBOM Generator: Tools or scripts that automatically generate an SBOM by analyzing the source code and its dependencies.
- SBOM Solutions: Tools that examine an SBOM to identify vulnerabilities, licensing issues, and other potential concerns.
- Risk Assessment: The process of evaluating potential threats and vulnerabilities in software components to determine their potential impact on the overall system’s security and stability.
- License Compliance: Ensuring that software components and their usages adhere to legal and licensing requirements, as well as organizational policies.
- Continuous Monitoring: Ongoing assessment of software components, dependencies, and vulnerabilities to keep the SBOM up to date and accurate.
- Maturity Level: A classification that indicates the stability and reliability of a software component or library. Higher maturity levels often imply fewer bugs and vulnerabilities.
- Software Supply Chain: The interconnected network of software components, libraries, and dependencies that contribute to an application’s development and operation.
- Metadata: Supplementary information about a software component, such as its version, author, release date, and dependencies.
- Integration: The process of incorporating different software components or systems to work together seamlessly.
- Remediation: The actions taken to address vulnerabilities, security issues, or other problems identified in the SBOM.
- Documentation: Comprehensive records that describe the purpose, functionality, usage, and other pertinent details of software components.
- Version Control: The management of changes to software components over time, often facilitated by version control systems like Git.
- DevSecOps: An approach that integrates development, security, and operations to ensure security measures are integrated into the entire software development lifecycle.
- Audit Trail: A chronological record of changes, updates, and actions taken regarding software components, licenses, and vulnerabilities.
- Governance: The establishment and enforcement of policies, processes, and procedures for managing software components and their associated risks.
- Third-Party Libraries: Software components developed by external entities and integrated into an application to provide specific functionality. Proper management of these libraries is crucial for security and compliance.
Revenera provides an SBOM Management solution called SBOM Insights that helps you gain transparency and insights into the complexity of your software. SBOM Insights is a SaaS solution that tracks all the components in your software, regardless of where in the supply chain they originated.