In simple terms we think of a Software Bill of Materials (SBOM) as an inventory of the software components found in software applications—open source, third-party, and custom code. It may be that not all developers, security personnel, and stakeholders truly recognize the impact third-party libraries have, however, on the software supply chain. Having said that and given the supply chain has gotten way more complex in the recent years, that simple definition of an SBOM no longer encapsulates everything it should represent and accomplish, from improved efficiencies and cost reduction to addressing technical debt.
While things are speeding along (a lot has happened over the last few years, specifically) most organizations are still trying to figure out why they’re needed, who needs them, what should be included in an SBOM and once we have them what the heck do we do with them? In the not knowing or understanding how critical an SBOM is to identifying and avoiding software vulnerabilities, perhaps you’re thinking, “We’re good.”
Given that, the obvious question is how comprehensive are your efforts and what’s the plan to implement a more effective approach? Secondly, is there a tool you can use to assess your SBOM management readiness?
SBOM Maturity Framework
Revenera has devised a framework made up of three specific levels of maturity for SBOM management. This framework applies to all companies serving various industries:
- Reactive – You have some general awareness of what’s happening with emerging security regulations, but SBOM management has yet to take on a strategic focus and most likely requires manual construction.
- Enabled – SBOM Management has taken a strategic focus, but you might still be deciding where it rests in the organization. SBOM transparency is a high priority, and you continuously work to approach it in a way that meets not just the needs of your business.
- Optimized – Your organization has assigned responsibility for supply chain security and SBOMs are part of your business strategy for security and compliance risk mitigation. You have an automated and scalable SDLC process in place that is tied to your DevSecOps pipelines for SBOM construction, refinement, and utilization.
This model assesses business processes and technological functionality in four key dimensions of SBOM management.
This element of readiness looks at the extent SBOMs are woven into the fabric of an overarching compliance and security strategy. Is there a formalized team such as an OSPO dedicated to SBOM management? Have clearly defined metrics been identified to measure both success and progress? With an optimized strategy, an organization has operationalized SBOM generation, refinement, and delivery.
With an enhanced approach to SBOM construction, SBOM functionality is integrated with software development and tracks all software components, regardless of where they originated and includes commercial, third-party, and proprietary components along with all direct and transitive dependencies.
The process of sharing SBOM data is crucial to a highly optimized SBOM management program because it gives data access to the right people at the right time. Sharing data across the software supply chain involves having the right technical platform, data formats, and operational processes in place throughout the software supply chain for greater collaboration.
Automation Integration/Continuous Process
This element of SBOM maturity looks at whether SBOM construction is both automated and continuous so there is a complete picture of legal and security risks in real time. Manual analysis, curation, and processing SBOM data is time consuming, especially since the smallest software applications can still be composed of many components. Automation ensures continuous scanning to produce SBOMs, creates consistency, and promotes increased transparency.
Assess Your SBOM Readiness
As I mentioned above, hype around SBOMs has taken off over the last several years, largely due to regulatory bodies stepping in to improve efforts to secure the software supply chain and protecting organizations against malicious actors. Along with all the hype comes confusion.
The goal is to embrace an SBOM approach that helps you build a robust security posture through automation and fast identification and mitigation of risk. SBOMs should provide a 360-degree view of your risk exposure up and down the software supply chain.
To help, Revenera created the SBOM Maturity Assessment. We encourage you to take a few minutes to answer some questions about your processes. In return, we’ll provide you with an evaluation of your SBOM management practices along with actionable next steps to controlling open source, third-party, and commercial component use through the strategic implementation of an SBOM.