Book a DemoSupport

How Much Data Do You Need From Your SBOM?

Posted On

by

Deb Radcliff

By Deb Radcliff, DevSecOps analyst and editor of CodeSecure’s TalkSecure educational content (syndicated at Security Boulevard & YouTube)

If we think of Software Bills of Materials as an ingredient list for critical software products, the question becomes, ‘how thorough do we need that ingredient list to be?’ In other words, what information elements should SBOMs include to meet consumer and developer demand for visibility? 

The commerce department, in association with the National Telecommunications Industry Association, released its minimum elements for an SBOM in 2021 as part of the presidential executive order to improve the nation’s cybersecurity. But are those elements enough? And how do today’s tightly structured SBOMs stretch to facilitate new elements as needed?

In this interview with Alicia Bond, CRO at SBOM lifecycle management platform vendor, Vigilant Ops, we discuss what should be in SBOMs and how to determine if the data included in them is complete and current enough for development teams and their software product buyers. 

Overall, Bond believes that software product makers are doing a good job of adopting SBOMs and attempting to ensure they include minimum elements. In some cases, manufacturers want to add more information, for example licensing or compliance-related data, she adds. In other highly-sensitive industries, such as in medical device manufacturing where FDA laws now dictate device security requirements, SBOM minimum elements will likely morph and change with tightening regulations.

“At the end of the day, it’s the data in the SBOM that matters. That means knowing the version, the producer, component name, version, unique identifiers, dependency information, the author of the SBOM, as well as timestamps to authenticate where it came from,” she notes. “Imagine you already have all of this in your SBOMs—kept up to date in one place. So, in the next log4j scenario, at the click of a button you know what products it is tied to. That’s the value of SBOMs.”

Tune in to our 28-minute show here and enjoy the free education.

Share post:

Avatar photo

Deb Radcliff

Deb Radcliff is an award-winning journalist, sought-after cybersecurity analyst, and author of the popular, award-winning Breaking Backbones hacker thriller trilogy books and scripts destined for streaming series. Currently, as an independent author and industry analyst, Radcliff runs a syndicated column and video interview series focused on DevSecOps for critical embedded systems; areas of coverage include software supply chain and SBOMs. She is also a regular contributor to CSO Online and podcast host.

Other Posts

Check out all other blog posts and stay informed.

view all posts