In May 2021, the US President issued an Executive Order meant to improve cybersecurity after the Solarwinds hack exposed thousands of companies to attacks by hackers linked to Russian intelligence. The Solarwinds attack wasn’t the first or last of supply chain attacks but is one of the most far-reaching – Solarwinds estimated that 18,000 customers downloaded the updates that included the back door code. The Apache Log4j vulnerability in 2021 is another example of a software supply chain vulnerability in a library used by millions of Java-based applications.

Among other requirements, Section 4 of the Executive Order, "Enhancing Software Supply Chain Security," requires that companies maintain accurate and up-to-date information on the origin of software code or components and provide purchasers with a Software Bill of Materials (SBOM).

What is a Software Bill of Materials?

Along with the component names, SBOMs also include the version information, license information, and any known vulnerabilities with any of those components.

Software composition analysis (SCA) tools can help scan code bases to identify all of the components and libraries used. This process allows companies to maintain up-to-date lists compared to manual reporting in spreadsheets or internal documentation like wikis.

Some tools that provide SCA capabilities include GitLab, GitHub, Snyk, JFrog Xray, and Sonatype Nexus Lifecycle.

How do SBOMs help customers?

Although the Executive Order established the requirements for companies doing business with the US government, other customers benefit from confidence in knowing what third-party components and software are part of the supply chain.

What makes resolving software supply chain vulnerabilities so time-intensive is that many customers do not know if they had vulnerable software installed in their environment. This lack of transparency creates confusion and delays when responding to and patching a newly discovered vulnerability. Without an SBOM, customers were unsure what third-party components and open source software their vendors had included in their products.

One estimate placed the average cost of a Solarwinds- or Apache Log4j- type vulnerability for each affected customer at $12 million. It was determining if a particular company had the affected version installed and whether the attackers had exploited it, and then remediating that took considerable effort from customers.

How do SBOMs help your DevOps team?

In the current job market, developers are being wooed away from other employers by higher salaries and improved developer experience (DX). The developers who originally included a component or library may no longer be working for you when that component requires an update or discloses a vulnerability.

Meanwhile, your current developers want to spend most of their time solving interesting challenges and creating innovative software, not chasing down whether or not an affected component is buried in the codebase somewhere.

An SBOM, particularly one that is created automatically via software composition analysis, makes it easier for developers to know what components they need to keep updated and where to look (or not look) when new vulnerabilities are disclosed. This saves them time and effort, allowing them to get back to working on features and the next release.

Do you need an SBOM to sell software?

If you’re selling to the US government, the short answer is yes. However, software companies are learning that providing SBOMs can offer a competitive advantage. Instant Connect’s chief product officer Wes Wells shares that his company provides SBOMs as part of their RFP responses. Not only does providing an SBOM help Instant Connect’s customers feel confident about what is in their environment, but it also helps Instant Connect’s developers address any vulnerabilities quickly.

As cyberattacks continue to become more sophisticated and prevalent, demanding SBOMs from your vendors and providing SBOMs to your customers will help everyone have the information they need to prepare for and respond quickly to new attacks.