Software Bill of Materials and Cybersecurity

Modern software systems involve increasingly complex and dynamic supply chains. Lack of systemic visibility into the composition and functionality of these systems contributes substantially to cybersecurity risk.

The increasing complexity of IT landscapes and supply chain integrity drives the adoption of a standardized information carrier describing the internals and origins of software components to achieve software transparency. The Software Bill of Materials (SBOM) is an electronic document or machine readable file describing the parts that a piece of software consists of. It helps to become aware of vulnerabilities in the underlying software components and to better assess IT landscape impact of those vulnerabilities. Additionally, an SBoM enhances risk management for choosers and operators of IT resources.

The NCSC commissioned CapGemini Invent to explore the state of the current landscape, the potential purposes, and uses of SBoM in a cybersecurity context. The research report describes the potential for software production, choosing and procurement, operating of software, and for SecDevOps. The general findings are:

1.            SBoM is gaining traction within the IT security world.

2.            SBoM is considered valuable for management IT security.

3.            Existence of an SBoM is considered as an indicator of IT product quality.

4.            Accepted data standards and tools are limited.

5.            Balance between SBoM detail versus practical usability is still under discussion.

6.            Not much standardization for the use of SBoM.

The results of this project contribute to a better understanding of new concepts and provide input for future projects and innovation in this field of interest.