Everyone in an organization plays an important role in ensuring that their products and services are delivered safely to their customers. Central to that cybersecurity initiative is knowing exactly what’s in those products to ensure that they’re safe.
Whether you’re producing software or hardware, part of the manufacturing process, or anywhere in the software supply chain, being able to inventory the components used is necessary to move toward a goal of holistic security with full traceability. Understand the role of the bill of materials to use this valuable form of documentation to help scale your offerings and meet increasing customer demands.
A bill of materials (BOM) is an inventory that details all of the components used to build a product. Much like an ingredients list, it includes all items used in a finished product. Long used in engineering and manufacturing, BOMs have become increasingly necessary in various areas of technology production.
Most notably, software bills of materials (SBOMs) detail all of the software components (including commercial, third-party and open source) in an application, along with the associated licenses. An SBOM, created as part of a comprehensive approach to software composition analysis (SCA), is a point-in-time snapshot of the components in a particular software release. It helps parties from across an organization (security, software development and engineering, legal, leadership, etc.) know the risks that may be associated with the use of an application and to be able to quickly remediate a vulnerability in the case of an exploit. SBOMs have been in the spotlight lately, thanks in large part to the U.S. government’s inclusion of SBOMs in the National Cybersecurity Strategy (March 2023) and the EU Cyber Resilience Act’s focus on protecting the digital components of software and hardware.
But SBOMs aren’t the only bills of materials that are necessary for the protection of your tech stack and of your business as a whole. A growing variety of BOMs, in the form of XBOMs, are growing in importance while creating a bit of an acronym maze. Essentially, XBOMs can represent one of two things:
• “X” represents a specific focus area for which a bill of materials is produced. Most commonly, a bill of materials may be available as a software bill of materials (SBOM), but BOMs are increasingly common for other disciplines, including hardware (HBOM), machine learning (ML-BOM), manufacturing (MBOM), operations (OBOM) and software-as-a-service (SaaSBOM).
• An eXpanded SBOM. Still used in the context of software, an expanded SBOM, in the form of an XBOM, may provide more information about each component. Rather than including simply components and licenses, this version of an XBOM includes expanded information about each part, such as who built it, what build system was used, the author, the date and other additional information that supports traceability and the remediation of vulnerabilities.
Each one of these XBOMs has distinct ways to describe the parts included. As the industry works toward standardized data models that have common attributes (i.e., through Cyclone DX, OpenChain and SPDX for SBOMs), each XBOM will become increasingly useful, both to those organizations that create and maintain it, and to the supply chain partners that consume the XBOM’s information.
A comprehensive approach to consuming, creating and distributing XBOMs up and down the supply chain can help reduce security risks posed by vulnerabilities and the licenses associated with each component, can strengthen M&A activity, and can help make IT security digestible for all who do business with you.
Reducing cyber risk with XBOMs requires evaluating how they’re used up and down the supply chain. Consider:
• What you’re receiving from your upstream supply chain partners. The vast majority of code that goes into your builds most likely comes from outside of the organization, not necessarily your development team. Ingesting XBOMs from upstream suppliers will help your organization know what vulnerabilities may be present in your builds, along with what licenses you must comply with. Make your expectations clear to your upstream partners so that you receive the XBOMs you need.
• Your role in the supply chain. Many businesses might not consider themselves part of the supply chain but likely are. By creating XBOMs for your software, hardware, manufacturing, operations and other initiatives, you’ll be able to document the components you use, also providing a clear illustration of how these components relate to the supply chain overall.
• What you’re relaying to your downstream supply chain partners and customers. By creating and providing inventories of all of the components you use, your organization can document your commitment to secure practices that prioritize the security of your company and of users, alike.
Now is the time to stay focused on cybersecurity. XBOMs can be useful tools to help achieve that goal. Examine processes and procedures to see where the creation, ingestion and distribution of XBOMs may be most useful; evaluate the plans and resources to put in place to make this effort most useful, such as by releasing an SBOM for each new software release, followed by subsequent versions that show the deltas or changes in new builds. By getting everyone in an organization to focus on the security implications of their roles, your organization can proactively support effective practices, supported by XBOMs.