SBOMs are an essential software supply chain security tool for license compliance and managing open-source software risk. However, let's explore five other use cases for this innovative system...
Software bills of materials (SBOMs) are rapidly becoming essential tools for software supply chain security (SSCS) and open-source software risk remediation. Yet, is this the only use for this technology?
After all, there are many situations where other teams in your business could leverage detailed knowledge of the open-source code used to make your software. This includes sales, procurement, and even enterprise architecture.
Let's begin by recapping what an SBOM is and then considering the primary use case of open-source software vulnerability remediation. We'll then look at four other teams in your organization who need SBOMs in their work.
A software bill of materials (SBOM) is essentially an 'ingredients list' of all the open-source code that has been used to create a software product. It's an essential tool for software supply chain security (SSCS), software vulnerability remediation, and license compliance.
Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA) found 73% of code was open source, across the aerospace, aviation, automotive, transportation, and logistics industries. With the use of open-source libraries being so prolific, it's vital to know where your software code came from and how it was used.
Yet, often, we see SBOMs as purely a software supply chain security (SSCS) tool. While that is the primary use case we list below, there are many other uses for SBOMs that are only just being discovered.
A Linux survey found that executives reported SBOMs were useful for:
These are just a few of the use cases for SBOMs that are coming to light. Below, we'll start with the obvious software vulnerability remediation example, but then examine four other ways teams in your organization can leverage SBOMs.
The primary, and most obvious, use case for software bills of materials (SBOMs) is software supply chain security (SSCS). When an open-source software risk is detected, SBOMs tell security teams precisely where vulnerable code fragments have been used.
This means, cyber-security teams can begin software vulnerability remediation processes immediately. A fast response like this is essential when dealing with vulnerabilities like that found in Apache log4j.
Without a full catalog of SBOMs, security teams will be left manually searching through code bases for vulnerabilities. What could take days will take months, during which time your organization will be vulnerable to cyber attack.
SBOMs are already an essential tool for protecting your organization from open-source software risk. Equally important, however, is cataloging your SBOMs in a system like the LeanIX Value Stream Management (VSM) platform.
The cost of cyber crime is set to reach USD 10.5 trillion by 2025, according to Cyber Security Ventures. In response, the Biden administration in the US has set an expectation to shift responsibility for software supply chain security (SSCS) to the vendor in creating software that is 'secure by design'.
Key in this action was executive order 14028, issued in May 2021, which called for vendors to provide:
"...a purchaser a software bill of materials (SBOM) for each product directly or by publishing it on a public website"
European governments have issued similar software supply chain security (SSCS) guidance in the years following, making SBOMs essential in vending to the public sector. Yet, it won't be long before SBOMs become an expectation in the consumer arena as well.
This is why sales and customer success teams need to offer customers SBOMs for their software to inspire trust in their cyber security. Without them, they risk falling behind their competitors.
While SBOMs are essential for inspiring trust in customers, the reverse is also true. Consuming SBOMs provided by third-party software vendors allows procurement teams to acquire software with confidence.
These third-party SBOMs can also be consumed by the LeanIX Value Stream Management (VSM) platform and listed as part of your software supply chain, whether they are internal- or external-facing. In addition, SBOMs allow procurement teams to look 'under the hood' of third-party software and see how it works before buying.
As software consumers and resellers themselves, even software vendors can benefit from comprehensive SBOMs as much as their customers do.
While the demands of cyber security and sales may be the most pressing, there's also pressure on software developers to produce new products quickly. Software bills of materials (SBOMs) are key for this as well.
SBOMs facilitate a better understanding of software dependencies, making it easier to track and manage changes, updates, and compatibility issues. This streamlines software development, maintenance, and the integration of new features or functionalities.
SBOMs, in this sense, can also act like a manual on how your previous software was created and what code was used. This makes it easier for your development teams to repeat previous success, even when key developers have moved on to other projects.
Once again, we can use the metaphor of the ingredients list. SBOMs track all the ingredients used in software creation, so can serve as a recipe to guide future efforts.
Enterprise architects are responsible for building an organization's tech stack. Just like a building architect, constructing a tech stack is much easier when you understand what your materials are made of.
Knowing which code fragments have been used in the creation of software is hugely beneficial for deciding whether it's fit for purpose. This is especially true in the case of mergers and acquisitions.
Merging together two separate software stacks and choosing what to keep and what to eliminate requires full clarity on how the software was built and of what code it's comprised, including your third-party and customer-facing software.
This is why cataloging and analyzing your SBOMs is as essential for enterprise architects as software security teams.
Creating your SBOMs is just the beginning. To make them useful, they must be logged somewhere that can be accessed and leveraged by all the above teams, and others.
The LeanIX Value Stream Management (VSM) platform creates complete transparency across your software supply chain, identifies known vulnerabilities, and enables product teams to improve collaboration with the business.
To find out more about the LeanIX VSM, see our solution page: