How Much Data Do You Need From Your SBOM?
Security Boulevard, Wednesday, July 24th, 2024
If we think of Software Bills of Materials as an ingredient list for critical software products, the question becomes, 'how thorough do we need that ingredient list to be?' In other words, what information elements should SBOMs include to meet consumer and developer demand for visibility?
The commerce department, in association with the National Telecommunications Industry Association, released its minimum elements for an SBOM in 2021 as part of the presidential executive order to improve the nation's cybersecurity. But are those elements enough? And how do today's tightly structured SBOMs stretch to facilitate new elements as needed?
In this interview with Alicia Bond, CRO at SBOM lifecycle management platform vendor, Vigilant Ops, we discuss what should be in SBOMs and how to determine if the data included in them is complete and current enough for development teams and their software product buyers.
Overall, Bond believes that software product makers are doing a good job of adopting SBOMs and attempting to ensure they include minimum elements. In some cases, manufacturers want to add more information, for example licensing or compliance-related data, she adds. In other highly-sensitive industries, such as in medical device manufacturing where FDA laws now dictate device security requirements, SBOM minimum elements will likely morph and change with tightening regulations.