SBOMs should be a security staple in the software supply chain>
The Register – Jeff Burt
“When it comes to a SBOM, it’s just as important [as the nutrition labels on food] because the risk is not to your physical health but the risk to your business,” Mark Lambert, vice president of products at ArmorCode, told The Register. “The risk that you’re potentially exposing your business to when you’re consuming software is that you don’t understand what it’s comprised of.”

It’s why SBOMs over the past several years have become central to the expanding software supply chain management picture as threat levels increase. SBOMs are also are a key point in the national cybersecurity plan developed by the Biden Administration and released this week. They not only tell organizations what components make up the software they’re bringing in, but also what code is in there.

That’s why automating the SBOM process is important. NIST’s standard includes multiple elements, from the software component used and its supplier to version numbers and access to the component’s repository. Version levels must be evaluated against release levels, potential threats found, and risks determined.

There are other considerations. SBOMs deliver a lot of information, but organizations need to decide how they’re going to use it Another emerging issue is that SBOMs and the like mean more work for those maintaining the open-source software that is used in most applications, Fischer said. And most of the maintainers – 60 percent, according to Fischer – are unpaid, essentially volunteers.

Improving security requires tools – like SBOMs – and people. It’s time to start paying the open-source maintainers like companies do anyone else who is responsible for software security.
Link: https://www.theregister.com/2023/03/05/sboms_supply_chain_security/