software bill of materials (SBOM) (noun) [Word Notes] - Hacking Humans

Summary4 min read

Summary of "Hacking Humans" Podcast Episode: Software Bill of Materials (SBOM) Hosted by N2K Networks | Release Date: March 11, 2025

Introduction

In this episode of Hacking Humans, hosted by N2K Networks, the focus revolves around the concept of Software Bill of Materials (SBOM). SBOMs play a crucial role in enhancing cybersecurity by providing transparency into the components that constitute software products. This episode delves into the definition, significance, industry standards, and governmental mandates related to SBOMs, highlighting their impact on the future of software security.

Understanding SBOM

Nyla Genoi opens the discussion by clarifying the acronym SBOM:

“[01:34] Nyla Genoi: The word is SBOM, spelled S for software, B for bill and OM for of materials. A formal record containing the details and supply chain relationships of various components used in building software.”

She emphasizes that an SBOM is essentially a comprehensive inventory of all the components, including open-source libraries, embedded within a software product. This detailed documentation is vital for ensuring supply chain transparency and understanding the origin and context of each software component.

SBOM and Supply Chain Transparency

Genoi highlights the pervasive use of open-source components in software development:

“[01:34] Nyla Genoi: According to Forrester Sandy Corelli, on average, 75% of a software product is open source code, meaning developers are using existing commercially available software components to create new products.”

This reliance on open-source code introduces significant cybersecurity risks. Without a clear understanding of the nested software components, organizations may unknowingly incorporate compromised or vulnerable elements into their products. SBOMs address this issue by providing visibility into the software's composition, enabling better risk management and mitigation strategies.

Industry Standards and SPDX

The episode details the evolution of SBOM standards, particularly the role of the Software Package Data Exchange (SPDX):

“[01:34] Nyla Genoi: On September 9, 2021, the software package Data Exchange specification SPDX for short, became the international open standard for security, license compliance and other software supply chain artifacts.”

SPDX serves as the official standard for SBOMs, adopted by major corporations like Intel, Microsoft, Sony, and VMware. The standardization was the result of a decade-long collaboration among vendors in the Software Composition Analysis (SCA) space, which focuses on assessing open-source code libraries and containers to identify and remediate risks.

Genoi points out that while SCA tools have historically been niche, their importance is escalating:

“[01:34] Nyla Genoi: These are vendor tools that assess open source software code libraries and containers to provide a unified view of risks and remediations and offer strategies to keep this kind of software up to date.”

Government Mandates and Influence

A significant portion of the episode is dedicated to exploring the impact of President Joe Biden's Executive Order on Cybersecurity (EO1402A):

“[05:37] Joe Biden: Last night I signed an Executive Order to improve the nation's cybersecurity. It calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyber attacks. It outlines innovative ways the government will drive to deliver security in software using federal buying power to jumpstart the market and improve the products that all Americans use.”

This executive order mandates that all federal civilian executive branch agencies, along with key organizations like CISA, OMB, DHS, and the DoD, comply with specific cybersecurity requirements, including the deployment of SBOM programs by spring 2022. Consequently, vendors aiming to secure federal contracts must provide SBOM telemetry, positioning SBOMs as a competitive advantage in the commercial software market.

Genoi explains the broader implications:

“[01:34] Nyla Genoi: If this works out, the Presidential directive could fast track sbombs to an existing standard of protection against supply chain vulnerabilities.”

By enforcing SBOM requirements, the government is accelerating the adoption of standardized security practices, thereby enhancing the overall resilience of the software supply chain against cyber threats.

Future Implications of SBOM

The adoption of SBOMs is poised to transform the landscape of software development and cybersecurity:

Market Differentiation: Vendors providing comprehensive SBOMs will stand out in the marketplace, attracting customers who prioritize security and transparency.
Enhanced Risk Management: Organizations will be better equipped to identify and address vulnerabilities within their software, reducing the likelihood of breaches and cyber attacks.
Standardization and Compliance: As SBOMs become standardized, they will simplify compliance with regulatory requirements and facilitate smoother interactions between different entities within the software supply chain.

Conclusion

This episode of Hacking Humans effectively underscores the pivotal role of SBOMs in modern cybersecurity. By detailing the definition, significance, industry standards, and governmental mandates surrounding SBOMs, the podcast highlights how these tools are integral to safeguarding software supply chains against increasingly sophisticated cyber threats. As SBOM adoption becomes more widespread, it is set to become a cornerstone of secure software development practices.

Notable Quotes:

Nyla Genoi [01:34]:

"The word is SBOM, spelled S for software, B for bill and OM for of materials. A formal record containing the details and supply chain relationships of various components used in building software."
Joe Biden [05:37]:

"Last night I signed an Executive Order to improve the nation's cybersecurity. It calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyber attacks."

This comprehensive summary captures the essence of the episode, providing insights into SBOMs' critical role in enhancing cybersecurity and ensuring supply chain transparency. Whether you're a cybersecurity professional or someone interested in the intricacies of software security, this episode offers valuable perspectives on the evolving landscape of cyber defense.

Loading summary

Transcript7 lines

[00:02]
Cyberwire Host
You're listening to the Cyberwire network, powered by N2K.
[00:12]
Zscaler Representative
And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.
[01:35]
Nyla Genoi
The word is SBOM, spelled S for software, B for bill and OM for of materials A formal record containing the details and supply chain relationships of various components used in building software. Example sentence sboms are lists of nested software components designed to enable supply chain transparency, origin and context. According to the NIST Cybersecurity Framework, if an organization does not know what its software contains, it should assume that the software is compromised and develop an appropriate risk management plan. Today, very little software is completely original. According to Forrester Sandy Corelli, on average, 75% of a software product is open source code, meaning developers are using existing commercially available software components to create new products. This presents a cyber risk management problem because customers typically receive software products without understanding the nested software contained within. On September 9, 2021, the software package Data Exchange specification SPDX for short, became the international open standard for security, license compliance and other software supply chain artifacts. In other words, they became the official SBOM standards body despite only being internationally recognized for a short while. Companies like Intel, Microsoft, Sony and VMware are already using the SPDX standards to communicate SBOM information. SPDX wasn't an overnight invention, though. It was the result of 10 years of collaboration from vendors across the Software Composition Analysis Space or SCA space. These are vendor tools that assess open source software code libraries and containers to provide a unified view of risks and remediations and offer strategies to keep this kind of software up to date. Still, tools from this market have not been an essential component to most development teams, except for highly specific software niche requirements. That may be beginning to change, though. President Joe Biden's May 2021 executive order on cybersecurity, EO1402Amandates that all federal civilian executive branch agencies and key players like CISA, OMB, DHS, and the DoD meet or exceed specific cybersecurity requirements. Among a long list that includes zero trust improvements to the federal acquisition regulation or far improved information sharing between agencies and secure cloud deployment, there is a specific requirement to deploy a minimum SBOM program, which by the spring of 2022, with the US government mandating SBoM requirements, vendors that sell to the US government will have to comply. It's tough to predict these things, but once government contractors routinely provide SBOM information, that capability becomes a discriminator against other software vendors in the commercial space. Why would you pick a vendor who doesn't provide SBOM telemetry when other vendors are available who do? If this works out, the Presidential directive could fast track sbombs to an existing standard of protection against supply chain vulnerabilities. Nerd Reference On 16 May 2021, President Biden spoke to the press about the Colonial Pipeline ransomware attack and the need to make infrastructure more resilient. He announced his Executive Order on Improving the Nation's Cybersecurity and described the goals behind it.
[05:37]
Joe Biden
Last night I signed an Executive Order to improve the nation's cybersecurity. It calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyber attacks. It outlines innovative ways the government will drive to deliver security in software using federal buying power to jumpstart the market and improve the products that all Americans use.
[06:13]
Nyla Genoi
Word Notes is written by Nyla Genoi, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[06:35]
Unknown
Foreign.
[06:45]
Yubico Representative
Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs, and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.