"Software Bills of Material Face Long Road to Adoption"
There are few areas of consensus within the community of cybersecurity specialists and researchers. One of the few exceptions is the requirement for more widespread usage of Software Bills of Materials (SBOMs), a tool that lists a software's components. With this knowledge, cybersecurity defenders are in a much better position to detect and address vulnerabilities. SBOMs have been supported by much of the cybersecurity field, even though they are not often deployed. In its report, the Cyberspace Solarium Commission advised that they be included in all software purchased by the federal government. The Cyber Safety Review Board's (CSRB) analysis of the log4j vulnerability recognized SBOMs as a crucial tool for preventing a similar incident in the future. However, implementation remains difficult, because the technology industry needs a clear understanding of precisely what information is required to comply with such a regime and how it would be used. Despite widespread support for SBOMs, key federal government entities are moving slowly to mandate their usage. As part of a September memo, the Office of Management and Budget (OMB) made it optional for agencies to demand SBOMs in federal Information Technology (IT) contracts, rather than mandating their inclusion in software acquired by the federal government. In the race to enact the end-of-year National Defense Authorization Act (NDAA), a provision that would have required the Department of Homeland Security (DHS) to mandate the use of SBOMs in its contracts was withdrawn due to objections from the industry. Similar to the list of ingredients on the back of a cereal box, an SBOM gives a list of software components and libraries, as well as their interactions. For computer engineers to remedy vulnerabilities, they must first be aware that they exist. An SBOM offers the inventory required to identify which software components exist in each system. Since modern software consists primarily of assembled components, many of which are open-source, the first step in discovering vulnerabilities is knowing the software's composition. Modern software is modular, which implies that when a vulnerability is discovered in a widely used software library, it may exist in a large number of programs that rely on it. SBOMs begin to solve this issue by mapping the dependencies between software components. This article continues to discuss the benefits of SBOMs and the challenges in getting the software industry to embrace this tool.
CyberScoop reports "Software Bills of Material Face Long Road to Adoption"