This article is based on Security Insights, a video podcast series where host Gunnar Peterson, CISO at Forter, discusses tech and payment security with industry experts.
In this episode, Forter CISO Gunnar Peterson chats with Wendy Nather, who leads the Advisory CISO team at Cisco. Nather was previously a CISO in the public and private sectors, led the information security practice at analyst firm 451 Research, and was Research Director at the Retail ISAC. She is a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative as well as at the Strauss Center for International Security and Law at the University of Texas at Austin. Together, they answer:
- What is a Software Bill of Materials (SBOM)?
- Why SBOMs have become more popular
- Why businesses would want one
- Use cases for SBOMs
What are SBOMs?
At a basic level, an SBOM is a list of the components that make up your software, including your codebase and dependencies. SBOMs are about enumerating and defining everything that goes into building a piece of software. You can apply an SBOM to any software — healthcare, financial, fraud prevention, procurement, etc.
Why SBOMs have become more popular
The rising popularity of SBOMs is due largely in part to the evergreen supply of incidents and vulnerabilities in the industry. Plus, software development has changed over time. “The concept of SBOMs came along at a good time, where the content of software is more variable than ever because so much of it is assembled now rather than being written. And assembled from a wide variety of components and sources,” Nather said.
Many companies have also realized they’ve been making a patchwork of their software. “You can’t just go to your engineering department and say, ‘what’s in here?’ — because nobody knows,” Nather said. “That’s the other reason I think SBOMs have become so critically important right now.”
Why businesses would want one
Nather explains that visibility is “top of the list” for CISOs when asked what they are looking to get out of an SBOM. “Why do you want an SBOM? What are you going to do with it? They really need the visibility,” Nather said.
But more importantly, it’s what they plan to do with that information, once acquired, that needs to take focus. “What are you going to do with that information once you have it?,” Nather always asks. And while most companies today don’t have a good answer for that, it is continually changing as more companies discover beneficial uses for SBOMs.
Use cases for SBOMs
Wendy co-authored a white paper for the Atlantic Council that highlights four use cases for SBOMs:
- Vulnerability Management and Threat Intelligence
- Incident Response
- Ecosystem Mapping
During the conversation, Nather also provided anecdotes for SBOMs related to procurement and ecosystem mapping.
Avoid buying duplicate software licenses
“A company the size of Cisco can end up buying duplicate instances of software,” Nather notes. Large companies like CISCO can use SBOMs to figure out what they have regarding software and take steps to avoid purchasing duplicate software licenses. They can also use SBOMs to ensure they don’t incorporate incorrect software licenses.
Reduce open-source software risks
SBOMs can also help companies mitigate risks when using open-source software. For example, you might discover that a developer who contributed a module to an open-source software library also participates in malware group projects. “Looking at a computer, developer-centric view and using SBOMs to inform that — who is contributing to your software can be every bit as important as, where did you get this or what’s in it,” Nather added.
Add SBOMs to your risk management toolbox
SBOMs are only a small part of an effective software risk management strategy. You need multiple tools to secure your software systems and manage risks in digital commerce.
Want to learn even more about SBOMs? You can watch this episode of Security Insights in its entirety on YouTube.