{"id":19690,"date":"2021-10-26T14:51:31","date_gmt":"2021-10-26T14:51:31","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19690"},"modified":"2021-10-26T15:13:13","modified_gmt":"2021-10-26T15:13:13","slug":"sbom","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/","title":{"rendered":"SBOMs: Securing the Software Supply Chain"},"content":{"rendered":"\n<p>As threat actors aim at IT <a href=\"https:\/\/www.esecurityplanet.com\/threats\/phishing-attacks\/\">supply chains<\/a>, enhanced cybersecurity has been the recent driving force for industry adoption of the Software Bill of Materials (SBOM) framework.<\/p>\n\n\n\n<p>With a simple list of components that make up a software product, SBOMs enhance transparency between software buyers and sellers, provide the necessary visibility to identify <a href=\"https:\/\/www.esecurityplanet.com\/products\/vulnerability-management-software\/\">vulnerabilities<\/a>, and enable rapid <a href=\"https:\/\/www.esecurityplanet.com\/networks\/best-incident-response-tools-services\/\">incident response<\/a>. SBOMs directly address inefficiencies in the software development process that lead to a visibility gap between clients relying on the software&#8217;s functionality and the developer or supplier&#8217;s knowledge of its build and source components.<\/p>\n\n\n\n<p>SBOMs also offer protection against licensing and <a href=\"https:\/\/www.esecurityplanet.com\/compliance\/gdpr-solutions\/\">compliance<\/a> risks associated with SLAs with a granular inventory of software components. In considering the potential efficacy of SBOM adoption, there&#8217;s no downside to standardizing software supply chain practices when it mitigates critical IT, business, and <a href=\"https:\/\/www.esecurityplanet.com\/products\/third-party-risk-management\/\">third-party risks<\/a> and reduces an organization&#8217;s bottom line.<\/p>\n\n\n\n<p>This article looks at software bills of materials, file data, existing standards, benefits, use cases, and what SBOMs mean for cybersecurity.<\/p>\n\n\n\n<p>Jump to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#what-is\">What is a Software Bill of Materials (SBOM)?<\/a><\/li><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#sbom-file\">What&#8217;s in a SBOM File?<\/a><\/li><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#standards\">Need for Standardization<\/a><\/li><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#vex\">The Vulnerability-Exploitability eXchange (VEX)<\/a><\/li><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#advantages\">Advantages of SBOM Adoption<\/a><\/li><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#how-to\">How to Create a SBOM<\/a><\/li><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#poc\">Proof of Concept: Healthcare SBOM<\/a><\/li><li><a href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#sbom-cybersecurity\">What SBOMs Mean for Cybersecurity<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is\">What is a Software Bill of Materials (SBOM)?<\/h2>\n\n\n\n<p>A software bill of materials (SBOM) is a machine-readable inventory of components, dependencies, metadata, and the hierarchical relationship for a given software product. With a universe of <a href=\"https:\/\/www.esecurityplanet.com\/applications\/open-source-security-a-big-problem\/\">open source<\/a> and proprietary components, SBOMs provide transparency by identifying risk-prone elements or later deemed vulnerable to attack.<\/p>\n\n\n\n<p>The SBOM framework is about the units of software identified by developers and suppliers known as <em>components<\/em> and associated data known as <em>attributes<\/em>. In its entirety, a software product is the primary component and often contains multiple upstream components, with SBOM entries for each to form a collective file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Software Shoppers&#8217; Nutrition Label<\/h3>\n\n\n\n<p>Like looking at a nutrition label in the grocery store, organizations can use SBOMs to evaluate a product&#8217;s source code before making a purchase. When the grocery shopper&#8217;s physician later informs them of a new allergy or health issue, it&#8217;s on the patient to look back and throw out those food items.&nbsp;<\/p>\n\n\n\n<p>In the case of software components, <a href=\"https:\/\/www.esecurityplanet.com\/threats\/fbi-cisa-most-exploited-vulnerabilities\/\">exploitable vulnerabilities<\/a> are identified regularly and require priority remediation. Without the equivalent of a nutritional label for software in use, organizations would find it difficult to address vulnerable systems. <a href=\"https:\/\/www.esecurityplanet.com\/products\/threat-intelligence-platforms\/\">Threat intelligence<\/a> can help scan IT environments for the latest malware, but that&#8217;s just one security layer against <a href=\"https:\/\/www.esecurityplanet.com\/threats\/zero-day-threat\/\">zero-day threats<\/a>.<\/p>\n\n\n\n<p><strong>Read more:<\/strong><strong><em> <\/em><\/strong><a href=\"https:\/\/www.esecurityplanet.com\/threats\/supply-chain-flaws-found-in-python-package-repository\/\">Supply Chain Flaws Found in Python Package Repository<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Problem with Software Supply Chains<\/h3>\n\n\n\n<p>Given all software contains vulnerabilities, understanding the components of the code being purchased, used, or built is increasingly critical to preserving the integrity of IT environments.<\/p>\n\n\n\n<p>There is no such thing as an ironclad risk-averse software management strategy; therefore, organizations must strive to be risk-aware. In the new millennium, the rise of Agile programming methodology means shorter development cycles and more frequent application deployments, which also translates to a heightened risk of unstable releases. Add the mixing of open source and proprietary software components into solutions, and the software supply chain is understandably complex.<\/p>\n\n\n\n<p>With the sheer volume of development taking place, organizations must take a more aggressive approach towards managing third-party risk.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SBOM Use Cases<\/h3>\n\n\n\n<p>The predominant use cases for SBOM are its application to supply chain vulnerability management and product integrity assurance processes.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-1 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h4 class=\"wp-block-heading\">Vulnerability Management<\/h4>\n\n\n\n<p>Because vulnerabilities exist, arise, and linger \u2013 downstream organizations must consider software supplier risks. SBOMs\u2019 inventory of components makes identifying specific vulnerabilities a far easier task. With the adoption of VEX files, organizations can be precise in confirming a vulnerability&#8217;s exploitability status and promptly remediate critical vulnerabilities.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h4 class=\"wp-block-heading\">Product Integrity<\/h4>\n\n\n\n<p>More transparency means more informed buyers and sellers and products with high levels of certainty in their effectiveness. Assurance in the source and integrity of software components is critical to improving the cybersecurity ecosystem and SBOMs give organizations more visibility and control regarding software licensing and entitlement tracking.<\/p>\n<\/div>\n<\/div>\n\n\n\n<p><strong>Also read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/threats\/common-it-security-vulnerabilities-how-to-prevent-them\/\">How to Defend Common IT Security Vulnerabilities<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"sbom-file\">What&#8217;s in a SBOM File?<\/h2>\n\n\n\n<p>Though a few formats are gaining traction, there isn&#8217;t one universally accepted SBOM structure. The <a href=\"https:\/\/www.ntia.gov\/files\/ntia\/publications\/ntia_sbom_framing_2nd_edition_20211021.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">National Telecommunication and Information Administration<\/a> (NTIA) admits the currently proposed baseline component attributes are purposely basic, with room for continued development and specific twists depending on the industry. The NTIA Software Component Transparency Framing Working Group stated:<\/p>\n\n\n\n<p><span style=\"color:#002461\" class=\"has-inline-color\">&#8220;<em>This is one of the major drivers for establishing such a basic set of information as a starting point, rather than initially requiring a more robust set of attributes that may require more time and resources to collect and maintain.<\/em>&#8220;<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Proposed Baseline Component Attributes<\/h3>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td>Author Name<\/td><td>The author of the SBOM (e.g., developer, supplier, <a href=\"https:\/\/www.esecurityplanet.com\/products\/grc-tools\/\">GRC<\/a>, third-party)<\/td><\/tr><tr><td>Timestamp<\/td><td>Date and time of initial creation and last updated<\/td><\/tr><tr><td>Supplier Name<\/td><td>Identifying information of the developers and suppliers of a component<\/td><\/tr><tr><td>Component Name<\/td><td>Name of component or list of multiple component names<\/td><\/tr><tr><td>Version String<\/td><td>Component version information with a versioning scheme<\/td><\/tr><tr><td>Component Hash<\/td><td>Cryptographic hashes or digital signatures of component data<\/td><\/tr><tr><td>Unique Identifier<\/td><td>Additional data related to component\u2019s place in the unique hierarchy<\/td><\/tr><tr><td>Relationship<\/td><td>Enumerates existence of upstream or downstream dependencies<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Some attribute data may require multiple inputs like supplier names, while other fields may not be fillable by the SBOM file author based on their visibility. In the latter case, the author should assert whether the field data is unknown, doesn&#8217;t exist, is partially known, or known.<\/p>\n\n\n\n<p>Other potential attributes to consider include usage info, licensing, end-of-life dates, third-party notices, component clusters, and how components affect downstream systems. In any instance, cryptographic <a href=\"https:\/\/www.esecurityplanet.com\/products\/best-iam-software\/\">authentication<\/a> of SBOMs is imperative for verifying their authenticity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Importance of Component Relationships<\/h3>\n\n\n\n<p>Whether it&#8217;s open-source, proprietary, or a combination, the components that merge into today&#8217;s software and their relationships impact organizations&#8217; bottom line. Starting with the primary component, developers and suppliers can define upstream component relationships that pertain to the product&#8217;s supply chain history.<\/p>\n\n\n\n<p><strong>Also read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/threats\/multi-party-cyberattacks-lead-to-big-losses\/\">Multi-Party Cyberattacks Lead to Big Losses<\/a><\/p>\n\n\n\n<p>In the following graphic, NTIA provides a conceptual example of charting relationships for a software application. In this example, the SBOM contains four components: the primary component and three upstream components. Though additional components may exist beyond these four, SBOM authors must work with existing knowledge. As seen in the flow chart and table, SBOMs can capture an image of component details and their relationship in the software supply chain.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2021\/10\/SBOM.Example.png\" alt=\"An image showing a conceptual graphics of SBOMs, including an SBOM flow chart and table. Source: NTIA Multistakeholder Process on Software Component Transparency Framing Working Group.\u00a0\nFraming Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM), 2nd ed., 2021, p. 16.\" class=\"wp-image-19694\" width=\"758\" height=\"621\" srcset=\"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/SBOM.Example.png 1328w, https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/SBOM.Example-300x246.png 300w, https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/SBOM.Example-1024x839.png 1024w, https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/SBOM.Example-768x629.png 768w, https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/SBOM.Example-150x123.png 150w, https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/SBOM.Example-696x570.png 696w, https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/SBOM.Example-1068x875.png 1068w\" sizes=\"(max-width: 758px) 100vw, 758px\" \/><figcaption><strong>Source:<\/strong> NTIA Multistakeholder Process on Software Component Transparency Framing Working Group.&nbsp;<br><em>Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)<\/em>, 2nd ed., 2021, p. 16.<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"standards\">Need for Standardization<\/h2>\n\n\n\n<p>SBOMs need to follow industry-accepted formats that allow interoperability between different industries and organizations to make adoption a reality. With a few standards already in place, organizations have the framework to write, maintain, and share software component data quickly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SPDX: Software Package Data Exchange<\/h3>\n\n\n\n<p>Developed by the Linux Foundation in 2010, the Software Package Data Exchange (SPDX) is the leading open standard for SBOM formats. SPDX files include software components, copyrights, licenses, and security references.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2021\/10\/ESP.SPDX_-1024x278.png\" alt=\"The SPDX logo.\" class=\"wp-image-19698\" width=\"289\" height=\"69\"\/><\/figure><\/div>\n\n\n\n<p>The SPDX specification fits the NTIA proposed minimum standard for an SBOM and use cases for <a href=\"https:\/\/www.esecurityplanet.com\/networks\/vulnerability-scanning-tools\/\">vulnerability scanning<\/a>, license compliance, and more. With SPDX Lite, organizations can utilize a compact subset of the SPDX standard for exchanging data. In August 2021, the SPDX became an official standard as ISO\/IEC 5962.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SWID: Software Identification Tagging<\/h3>\n\n\n\n<p>Towards the end of the 2010s, the International Organizations for Standards (ISO) began developing a standard for tagging software components with machine-readable IDs. Software Identification (SWID) Tags, as they&#8217;re now known, are the structured embedded metadata in software that communicates software product name, version, developers, relationships, and more.<\/p>\n\n\n\n<p>Like software asset management (SAM), SWID Tags can help automate <a href=\"https:\/\/www.esecurityplanet.com\/products\/patch-management-software\/\">patch management<\/a>, software integrity validation, vulnerability detection, and allowing or blocking software installations. ISO\/IEC 19770-2 was confirmed in 2012 and updated in 2015.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">OWASP\u2019s CycloneDX<\/h3>\n\n\n\n<p>The OWASP Foundation designed CycloneDX as a part of its open-source software component analysis solution, Dependency-Track, in 2017. With use cases like vulnerability identification, license compliance, and analyzing outdated components, CycloneDX is a lightweight standard for multi-industry use. The fourth iteration of CycloneDX (1.3) was released in May 2021.<\/p>\n\n\n\n<p><strong>Read more:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/applications\/owasp-list-gets-a-new-top-vulnerability\/\">OWASP Names a New Top Vulnerability for First Time in Years<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"vex\">The Vulnerability-Exploitability eXchange (VEX)<\/h2>\n\n\n\n<p>Developed by the NTIA, the Vulnerability-Exploitability eXchange (VEX) offers an affirmation about the status of specific vulnerabilities in software products. By issuing a VEX, software suppliers inform clients of specific vulnerabilities that might not be exploitable. Examples of different non-exploitable vulnerability statuses include:<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><tbody><tr><td><strong>Vulnerability Status<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td>Fixed<\/td><td>Product version resolves a specific vulnerability<\/td><\/tr><tr><td>Known, Affected<\/td><td>Action required to address this vulnerability<\/td><\/tr><tr><td>Known, Not Affected<\/td><td>No action required<\/td><\/tr><tr><td>Under Investigation<\/td><td>Unknown vulnerability impact; vulnerability still in evaluation<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Like an SBOM, the VEX format offers a framework for more transparency between software stakeholders. For enterprise organizations, VEX is also machine-readable provides for mass intake and automation of software component vulnerability management.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"advantages\">Advantages of SBOM Adoption<\/h2>\n\n\n\n<p>Software bills of materials are beneficial to any organization that values mitigating additional risk and best cybersecurity practices. Vendors in vulnerability management, third-party risk management, and software composition analysis are already integrating SBOM services to assist organizations in the transition.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Streamline information sharing about software components and vulnerabilities<\/li><li>Share a product SBOM with ease via common data files (json, xml, html, pdf, or txt)<\/li><li>Enhance supply chain integrity with more informed developers, vendors, and clients<\/li><li>Prompt rollout and rollback of crucial patches and remediation steps<\/li><li>Improved record-keeping for software audits and regulatory compliance standards<\/li><li>Enhanced visibility into operational software, components, and system relationships<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to\">How to Create a SBOM<\/h2>\n\n\n\n<p>Software bills of materials should be living records updated to provide the most precise visibility into the source code components at play. For managing SBOMs, organizations first must identify pertinent software inventory items like unsafe info, vulnerabilities, licenses, and versions.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Collect component data, enumerate attribute data, and create the SBOM<\/li><li>Complete initial refinements before producing the primary component file<\/li><li>Review and finalize the file for release to stakeholders and prospective clients<\/li><li>Monitor integrity of the file, remediate identified alterations, and update the file<\/li><\/ol>\n\n\n\n<p>Though U.S. federal contractors will be the first required to create SBOMs, advocates have a global vision for including them in the software development process. As the existing standards become more popular, making an adjacent SBOM for each new software component will become best practice. The result will be a more robust ecosystem built on transparency.<\/p>\n\n\n\n<p><strong>Read more:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/cloud\/attackers-exploit-flaw-in-millions-of-routers-iot-devices\/\">Attackers Exploit Flaw that Could Impact Millions of Routers, IoT Devices<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"poc\">Proof of Concept: Healthcare SBOM<\/h2>\n\n\n\n<p>In October 2019, the NTIA published Phase I of its initiative to develop an SBOM Proof of Concept for software component transparency. Medical device manufacturers (MDM) producing SBOMs for use by healthcare delivery organizations (HDO) led the charge, and the result has been a foundation for continued development.<\/p>\n\n\n\n<p>Two years later, the NTIA completed <a href=\"https:\/\/ntia.gov\/files\/ntia\/publications\/healthcare_sbom_proof_of_concept_-_phase_ii_summary.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Phase II<\/a>. In findings published earlier this month, Phase II validated the accepted baseline elements and SPDX, enumerated standard software components and a <a href=\"https:\/\/ntia.gov\/files\/ntia\/publications\/howto_guide_for_sbom_generation_v1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">How-to Guide<\/a> for producers, and explored VEX use cases. Phase III goals include driving adoption across the healthcare sector, automating SBOM exchange, and addressing end-of-life products and services inefficiencies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"sbom-cybersecurity\">What SBOMs Mean for Cybersecurity<\/h2>\n\n\n\n<p>Among information security&#8217;s objectives (Confidentiality, Integrity, and Availability), software bills of materials best address preserving the integrity of organization data and systems. As a formal document about software in use or development, the software component files can present added risk in safeguarding proprietary secrets. Likewise, an SBOM doesn&#8217;t directly affect the availability of data.<\/p>\n\n\n\n<p>SBOMs offer an industry precedent that expands transparency between developers, software vendors, and clients. With standards in place, organizations can securely inform partners of source code details during the contracting process. As SBOMs become more mainstream, organizations will have a more assertive posture to identify bugs, vulnerabilities, and zero-day threats. For cybersecurity professionals globally, SBOM adoption is a clear win.<\/p>\n\n\n\n<p><strong>Also read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/threats\/kaseya-breach-underscores-vulnerability-of-it-management-tools\/\">Kaseya Breach Underscores Vulnerability in Managed IT<\/a><\/p>\n\n\n<div id=\"ta-campaign-widget-66d6e5712b540-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6e5712b540\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6e5712b540\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6e5712b540\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6e5712b540\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6e5712b540\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6e5712b540\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>As threat actors aim at IT supply chains, enhanced cybersecurity has been the recent driving force for industry adoption of the Software Bill of Materials (SBOM) framework. With a simple list of components that make up a software product, SBOMs enhance transparency between software buyers and sellers, provide the necessary visibility to identify vulnerabilities, and [&hellip;]<\/p>\n","protected":false},"author":250,"featured_media":19693,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[23],"tags":[4633,7783,22929],"b2b_audience":[33],"b2b_industry":[],"b2b_product":[],"class_list":["post-19690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compliance","tag-compliance","tag-risk-management","tag-vulnerability-management","b2b_audience-awareness-and-consideration"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SBOMs: Securing the Software Supply Chain | eSecurity Planet<\/title>\n<meta name=\"description\" content=\"SBOMs offer transparency between software sellers and buyers and offer added security to the IT supply chain.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SBOMs: Securing the Software Supply Chain | eSecurity Planet\" \/>\n<meta property=\"og:description\" content=\"SBOMs offer transparency between software sellers and buyers and offer added security to the IT supply chain.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-26T14:51:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-26T15:13:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1709\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Sam Ingalls\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/SamIngalls\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sam Ingalls\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/\"},\"author\":{\"name\":\"Sam Ingalls\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2\"},\"headline\":\"SBOMs: Securing the Software Supply Chain\",\"datePublished\":\"2021-10-26T14:51:31+00:00\",\"dateModified\":\"2021-10-26T15:13:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/\"},\"wordCount\":2012,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg\",\"keywords\":[\"compliance\",\"risk management\",\"Vulnerability Management\"],\"articleSection\":[\"Compliance\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/\",\"name\":\"SBOMs: Securing the Software Supply Chain | eSecurity Planet\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg\",\"datePublished\":\"2021-10-26T14:51:31+00:00\",\"dateModified\":\"2021-10-26T15:13:13+00:00\",\"description\":\"SBOMs offer transparency between software sellers and buyers and offer added security to the IT supply chain.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg\",\"width\":2560,\"height\":1709,\"caption\":\"A picture of IT professionals working together similar to the way software developers, suppliers, and organizations need to adopt software bills of materials (SBOMs) to enhance transparency and secure the ever important software supply chain.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SBOMs: Securing the Software Supply Chain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2\",\"name\":\"Sam Ingalls\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg\",\"caption\":\"Sam Ingalls\"},\"description\":\"Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, Tech Republic, ServerWatch, Webopedia, and Channel Insider.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/singalls\/\",\"https:\/\/x.com\/https:\/\/twitter.com\/SamIngalls\"],\"url\":\"https:\/\/www.esecurityplanet.com\/author\/singalls\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SBOMs: Securing the Software Supply Chain | eSecurity Planet","description":"SBOMs offer transparency between software sellers and buyers and offer added security to the IT supply chain.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/","og_locale":"en_US","og_type":"article","og_title":"SBOMs: Securing the Software Supply Chain | eSecurity Planet","og_description":"SBOMs offer transparency between software sellers and buyers and offer added security to the IT supply chain.","og_url":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/","og_site_name":"eSecurity Planet","article_published_time":"2021-10-26T14:51:31+00:00","article_modified_time":"2021-10-26T15:13:13+00:00","og_image":[{"width":2560,"height":1709,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg","type":"image\/jpeg"}],"author":"Sam Ingalls","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/SamIngalls","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Sam Ingalls","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/"},"author":{"name":"Sam Ingalls","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2"},"headline":"SBOMs: Securing the Software Supply Chain","datePublished":"2021-10-26T14:51:31+00:00","dateModified":"2021-10-26T15:13:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/"},"wordCount":2012,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg","keywords":["compliance","risk management","Vulnerability Management"],"articleSection":["Compliance"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/","url":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/","name":"SBOMs: Securing the Software Supply Chain | eSecurity Planet","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg","datePublished":"2021-10-26T14:51:31+00:00","dateModified":"2021-10-26T15:13:13+00:00","description":"SBOMs offer transparency between software sellers and buyers and offer added security to the IT supply chain.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/compliance\/sbom\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2021\/10\/ESP.SBOMs_.2-scaled.jpg","width":2560,"height":1709,"caption":"A picture of IT professionals working together similar to the way software developers, suppliers, and organizations need to adopt software bills of materials (SBOMs) to enhance transparency and secure the ever important software supply chain."},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/compliance\/sbom\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"SBOMs: Securing the Software Supply Chain"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/40407ef36d4a8822d7fcd993b93faba2","name":"Sam Ingalls","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/08\/Sam-Ingalls-Square-150x150.jpg","caption":"Sam Ingalls"},"description":"Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, Tech Republic, ServerWatch, Webopedia, and Channel Insider.","sameAs":["https:\/\/www.linkedin.com\/in\/singalls\/","https:\/\/x.com\/https:\/\/twitter.com\/SamIngalls"],"url":"https:\/\/www.esecurityplanet.com\/author\/singalls\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/19690"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/250"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=19690"}],"version-history":[{"count":0,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/19690\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/19693"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=19690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=19690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=19690"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=19690"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=19690"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=19690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}