The Good and Bad of SBOM

A software bill of materials (SBOM) lists all components, libraries and modules in a software product in a machine-readable format. It is gaining popularity in DevSecOps circles.

But, why should you bother having one? After all, it takes time and effort to do… Or maybe the risks of not having one would motivate you more? Regardless, we have you covered here.

👍 Good Things

1. ✓ Transparency: An SBOM provides a clear and comprehensive list of all components used in a software product, enhancing transparency. Now, you know all your dependencies and can view them at any time.
2. ✓ Risk Management: It helps in identifying and managing vulnerabilities by knowing exactly what components are in use. This applies more to deeply buried dependencies you might not even realise you have. Something that a dependency of your dependency depends on — layers within layers.
3. ✓ Compliance: Many regulatory frameworks and standards require an SBOM, helping organizations meet compliance requirements. Remember that good compliance comes from good security.
4. ✓ Incident Response: In case of a security incident, an SBOM can quickly identify affected components, speeding up the response time. This allows you to make quick judgement calls when a dependency is affected.
5. ✓ Supply Chain Security: It enhances the security of the software supply chain by providing visibility into third-party and open-source components. The alternative is not knowing and hoping for the best. A path trodden by too many…

👎 Bad Things

Honestly, this is more or less the opposite of the above. However, some people will react better to fear than hope. So, without much ado, here it is:

1. ✗ Lack of Visibility: Without an SBOM, organizations lack visibility into the components used in their software, making it difficult to identify vulnerabilities.
2. ✗ Increased Risk: The inability to quickly identify and patch vulnerable components increases the risk of security breaches.
3. ✗ Compliance Issues: Non-compliance with regulatory requirements that mandate an SBOM can lead to legal and financial penalties.
4. ✗ Slower Incident Response: Without a clear inventory of components, incident response times can be significantly slower, exacerbating the impact of security incidents.
5. ✗ Supply Chain Vulnerabilities: The lack of an SBOM makes it harder to ensure the security and integrity of the software supply chain, increasing the risk of compromised components.

🔗 Links

• What is an SBOM? from gitlabs.
• Exporting a Software Bill of Materials for your repository. from github.
• Top Open Source SBOM Tools from Wiz.