What’s a software bill of materials? A CTO clued us in on the new transparency requirement

There’s a lot to unpack in the federal government’s new cybersecurity executive order, which was signed by President Joe Biden earlier this month.

Among calls for a safety review board, increased threat information-sharing and a multifactor authentication add-in that was a long time coming, the Biden administration also called out the transparency issues in government software.

“The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack and adequate controls to prevent tampering by malicious actors,” the executive order reads. “There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.”

As a result, the EO crafters snuck in a requirement for companies contracting with the government to provide a software bill of materials, also known as an SBOM, either with the product or posted on a public website. Essentially an ingredients list for developers, SBOMs are a written list of all the components that went into a piece of software.

This isn’t the first time the government has looked into more transparency for software. Fulton, Maryland-based Sonatype has spent the last 10 years advocating for such moves, and worked with members of Congress on the Cyber Supply Chain Management and Transparency Act of 2014, which called for something similar to an SBOM under a different name.

Brian Fox, Sonatype’s chief technology officer, told Technical.ly that the company mainly works on products to help companies manage risk when developing products using open source data. As its resident SBOM expert, we asked him to give us the 411 on what they are, and what it means to have the mandate in the executive order.

So, what’s an SBOM?

In a nutshell, Fox said you can think of an SBOM like an ingredients list on the back of a snack food box. At bare minimum, it includes everything that makes up a software product, but some also may have data like potential vulnerabilities and licenses associated with the software.

While it might seem like an easy chance to snoop on what everyone else has going on in their software, Fox said the real value in SBOMs is the increased transparency that allows the companies themselves to know what they have. Knowing whether or not you have the latest version of a certain component or if the coding includes a particular vulnerability can help keep companies better prepared for future cyberattacks, or knowing if a system upgrade is required, Fox said.

He compared it to a car, and how an engine is really a bunch of smaller parts instead of one big thing.

“So you know what version of the pistons it has and who supplied them, which version of the brake pads, and this is important in physical world because how else would they do a recall?” Fox said. “But in the software world it’s been completely opaque. The software bill of materials is an attempt to try and change that.”

On a simplified level, including SBOMs in the executive order means that, in the near future, anyone wanting to sell software to the government is going to need a bill of materials before anything gets purchased. And the increased transparency likely means the government will be a little more protected, since it can have a better idea of what’s going on in its systems.

Why should you care?

Having a thorough SBOM is practical for companies looking to protect against cyber threats. Many companies, Fox said, are so out of touch with their own software that they might not even know who to call to find out about what’s in a certain component. Even though most vulnerabilities are remote, meaning there’s evidence on the network, it can be hard to create a defense if you don’t know what to look for.

But, Fox pointed out, not having an SBOM might mean you’re the only one out of the loop.

“What often happens in these instances is that even if you don’t know what’s in your own software, that doesn’t mean the bad guys can’t figure it out,” Fox said.

Plus, while the EO only calls on the federal government to require SBOMs, Fox added that given the wide breadth of the US government’s purchasing power, this will likely affect almost every major software company on some level. It even might shape general best practices in purchasing. He added that he can easily imagine other industries like banking including similar requirements, and he’s already seen it spread into the health industry.

No, it’s not going to mean copycat development

For developers, Fox said that it might be interesting to see what others are using to build in their software, but he doesn’t think it will be of much help when creating new products. He added that many informed developers probably are already able to guess what’s in certain software based on what it does and the popularity of development methods.

An SBOM also doesn’t necessarily show how all of the components work together, so Fox doesn’t foresee them leading to a lot of duplicate systems.

“I think it’s an excuse that some people raise is a reason to not provide a transparency,” Fox said of the copycat issue. “I’m sure Coke and Pepsi look at what’s in each other’s things, but they probably could have guessed it right anyway. The main ingredients are not the secret sauce.”

The standardization problem

So, sure, it could be pretty neat to have a better idea of everything that’s going on in the development process. But there’s a catch. At the moment, including SBOMs in the executive order really only means that sellers need to provide something. Currently, there’s no standardization for SBOMs. And given the complexities of development, there’s no real way to check that the information is correct or up-to-date without third-party management.

“I worry that a lot of companies are going to do it in a check-the-box kind of fashion, in a very manual way,” Fox said. “The problem will be for some period of time that there’s no way to verify if the SBOM is actually correct.”

To help this, Fox said Sonatype has been advocating for automated exchangeable information for additional transparency. But for now, the executive order is the first step in getting people talking about how transparency can help with vulnerability protection.

“The EO is going to provide a big shot in the arm to this effort to get people really paying attention to the sad state of software that I see,” Fox said.