software bill of materials (SBOM) (noun) [Word Notes] - CyberWire Daily

Summary

CyberWire Daily Podcast Summary
Episode: Software Bill of Materials (SBOM)
Host/Author: N2K Networks
Release Date: March 11, 2025

Introduction to SBOM

In this episode of CyberWire Daily, hosted by N2K Networks, cybersecurity expert Nyla Genoi delves into the critical topic of the Software Bill of Materials (SBOM). SBOMs are emerging as essential tools for enhancing software supply chain transparency and managing cybersecurity risks in an increasingly interconnected digital landscape.

Understanding SBOM

Nyla Genoi begins by defining SBOMs, stating, “The word is SBOM, spelled S for software, B for bill and OM for of materials” (01:34). An SBOM is a comprehensive record detailing the various components and their supply chain relationships used in building software. Genoi emphasizes that SBOMs are essentially “lists of nested software components designed to enable supply chain transparency, origin and context” (01:34).

Importance of SBOMs in Cybersecurity

Genoi highlights the significance of SBOMs within the NIST Cybersecurity Framework, noting that "if an organization does not know what its software contains, it should assume that the software is compromised and develop an appropriate risk management plan" (01:34). This underscores the necessity for organizations to have visibility into the components that constitute their software to effectively mitigate potential security threats.

Prevalence of Open Source in Software Development

Addressing the modern software development paradigm, Genoi cites Forrester’s Sandy Corelli, revealing that “on average, 75% of a software product is open source code” (01:34). This reliance on open source components introduces significant cybersecurity risks, as the intricate nesting of software elements can obscure vulnerabilities and complicate risk management for customers who receive these compounded software products.

SBOM Standards and Adoption

The episode proceeds to discuss the establishment of SBOM standards, particularly the Software Package Data Exchange (SPDX). Genoi explains that on September 9, 2021, SPDX became the international open standard for SBOMs, gaining recognition from industry giants like Intel, Microsoft, Sony, and VMware (01:34). This standardization is crucial for enabling consistent communication and utilization of SBOM information across various platforms and organizations.

Evolution of Software Composition Analysis (SCA) Tools

Genoi traces the evolution of SBOMs to a decade of collaboration within the Software Composition Analysis (SCA) space. These tools assess open source libraries and containers, providing unified views of associated risks and remediation strategies. Despite their advanced capabilities, SCA tools have historically been niche, catering to specific software development needs. However, this trend is shifting as the importance of supply chain security gains prominence.

Impact of Government Mandates on SBOM Adoption

A pivotal moment for SBOM adoption, as discussed by Genoi, was President Joe Biden's May 2021 Executive Order on Cybersecurity (EO1402A). This directive mandates that all federal civilian executive branch agencies, along with key players like CISA, OMB, DHS, and the DoD, meet stringent cybersecurity requirements by deploying SBOM programs by spring 2022 (01:34). Genoi suggests that this government mandate is likely to accelerate SBOM adoption among vendors, as compliance becomes a competitive differentiator in the commercial sector. She posits, “Why would you pick a vendor who doesn't provide SBOM telemetry when other vendors are available who do?” (01:34).

Presidential Support and Future Outlook

Highlighting the broader governmental support for SBOMs, the podcast features a clip of President Joe Biden at 05:37, stating:

“Last night I signed an Executive Order to improve the nation's cybersecurity. It calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyber attacks.”

Biden further elaborates on leveraging federal buying power to enhance software security, indicating a strong governmental push towards making SBOMs a standard practice for safeguarding software supply chains.

Conclusion

In conclusion, Nyla Genoi underscores the transformative potential of SBOMs in fortifying cybersecurity frameworks. With increasing reliance on open source components and escalating cyber threats, SBOMs emerge as indispensable tools for ensuring software integrity and resilience. The episode effectively conveys the urgency for widespread SBOM adoption, driven by both industry standards and governmental mandates, positioning SBOMs as a cornerstone of modern cybersecurity strategy.

Notable Quotes:

Nyla Genoi (01:34): “SBOMs are lists of nested software components designed to enable supply chain transparency, origin and context.”
Nyla Genoi (01:34): “Why would you pick a vendor who doesn't provide SBOM telemetry when other vendors are available who do?”
President Joe Biden (05:37): “It calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyber attacks.”

For more insights and detailed discussions on cybersecurity, subscribe to CyberWire Daily by N2K Networks.

Transcript

Cyberwire Host (0:02)

You're listening to the Cyberwire network, powered by N2K.

Zscaler Representative (0:11)

And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.

Nyla Genoi (1:34)

The word is SBOM, spelled S for software, B for bill and OM for of materials A formal record containing the details and supply chain relationships of various components used in building software. Example sentence sboms are lists of nested software components designed to enable supply chain transparency, origin and context. According to the NIST Cybersecurity Framework, if an organization does not know what its software contains, it should assume that the software is compromised and develop an appropriate risk management plan. Today, very little software is completely original. According to Forrester Sandy Corelli, on average, 75% of a software product is open source code, meaning developers are using existing commercially available software components to create new products. This presents a cyber risk management problem because customers typically receive software products without understanding the nested software contained within. On September 9, 2021, the software package Data Exchange specification SPDX for short, became the international open standard for security, license compliance and other software supply chain artifacts. In other words, they became the official SBOM standards body despite only being internationally recognized for a short while. Companies like Intel, Microsoft, Sony and VMware are already using the SPDX standards to communicate SBOM information. SPDX wasn't an overnight invention, though. It was the result of 10 years of collaboration from vendors across the Software Composition Analysis Space or SCA space. These are vendor tools that assess open source software code libraries and containers to provide a unified view of risks and remediations and offer strategies to keep this kind of software up to date. Still, tools from this market have not been an essential component to most development teams, except for highly specific software niche requirements. That may be beginning to change, though. President Joe Biden's May 2021 executive order on cybersecurity, EO1402Amandates that all federal civilian executive branch agencies and key players like CISA, OMB, DHS, and the DoD meet or exceed specific cybersecurity requirements. Among a long list that includes zero trust improvements to the federal acquisition regulation or far improved information sharing between agencies and secure cloud deployment, there is a specific requirement to deploy a minimum SBOM program, which by the spring of 2022, with the US government mandating SBoM requirements, vendors that sell to the US government will have to comply. It's tough to predict these things, but once government contractors routinely provide SBOM information, that capability becomes a discriminator against other software vendors in the commercial space. Why would you pick a vendor who doesn't provide SBOM telemetry when other vendors are available who do? If this works out, the Presidential directive could fast track sbombs to an existing standard of protection against supply chain vulnerabilities. Nerd Reference On 16 May 2021, President Biden spoke to the press about the Colonial Pipeline ransomware attack and the need to make infrastructure more resilient. He announced his Executive Order on Improving the Nation's Cybersecurity and described the goals behind it.