Chapter 65. SBOM: Transparent, Sustainable Compliance
Karen Walsh
Modern, interconnected application ecosystems are much like coral reefs. A single vulnerability can disrupt the delicate, symbiotic balance between open source code and application security, poisoning entire systems. Just as regulatory compliance sought to solve physical pollution, governmental initiatives seek to limit digital pollution by establishing rules for supervising digital contamination. As compliance initiatives start focusing on supply chain security at the code and component levels, AppSec professionals will increasingly be held accountable for maintaining a software bill of materials (SBOM) to achieve the organization’s compliance objectives.
Building Transparency
Essentially, the SBOM is the software equivalent of the Nutrition Facts Label on packaged food. With visibility into ingredients, organizations can make informed, healthy decisions so they can monitor applications for vulnerabilities impacting the components.
In 2021, the National Telecommunications and Information Administration (NTIA) updated their publication, Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM). NTIA defined SBOM as:
a nested inventory, a list of ingredients that make up software components…[that] identifies and lists software components, information about those components, ...
Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
