Advancements with Software Bills of Materials

Posted On

by

By Deb Radcliff, industry analyst and editor of CodeSecure’s TalkSecure educational blogs and podcasts (syndicated at Security Boulevard, YouTube, and Bright Talk), interviews transformative product security executive Kymberlee Price.

In late January, the Cybersecurity and Infrastructure Security Agency (CISA), released much-needed new Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM).

Think of SBOMs as a list of ingredients for software products, and that each ingredient needs its own SBOM for product developers and buyers/consumers of the products. This ingredient list is particularly important for embedded systems in automobile, space, medical, and other critical applications that, if breached, could result in injury or loss of life. 

The SBOM concept is not new, dating back more than ten years ago when Josh Corman brought the idea to light through his IamtheCavalry nonprofit focused on securing the software supply chain. But thanks to CISA’s efforts, SBOMs are moving into the mainstream for both product companies and product consumers, notes Kymberlee Price, Transformative Product Security Executive, and CEO and founder of Zatik Security, a services cooperative that serves small and medium businesses. 

The CISA’s new guidance includes reference documentation called the Product-Line Build SBOM or PLB-SBOM. And, while the CISA’s documentation is light on actual solutions, including how to manage multiple SBOMs for the myriad components in a product, it makes a good starting point, Price says. “I appreciate that the CISA is not getting overly prescriptive this early,” she adds. “It’s a starting place. As time goes on you will see SBOM utility and use cases get validated.”

The CISA’s guidance on assembling a group of products into SBOMs lays out the required information to include in the PLB-SBOM—an identifier, versioning system, list of all components and versions of components, and reference to the build SBOM for each component. It also includes a short list of “desired information” such as artifact hashes, authors, and tags. 

Likely, demands for other BOM information will grow in the future, but the key, says Price, is to help product companies and their customers develop and utilize SBOMs as we overcome management and standards-related issues holding back SBOM usage. 

Listen in on this 25-minute video and learn how to utilize SBOMs in pre-development stages, reduce tech waste in products, and improve software integrity to win over customers now and into the future. 

BIO:

Kymberlee Price is a dynamic engineering leader and public speaker known for developing high-performing multidisciplinary teams responsible for the security and integrity of software products, services, and infrastructure. 

RESOURCES: 

  • Managing the Lifecycle of your SBOMs with real-life demo of how an intermediary can help
  • OWASP’s BOM Maturity Model
  • SBOM Use Cases in action, and why Binary Composition Analysis (BCA) matters
  • Deb Radcliff’s interview with IamtheCavalry’s Josh Corman, father of SBOM, about FDA SBOM guidelines for embedded medical devices

Other Posts

Check out all other blog posts and stay informed.

view all posts