Software Bill of Materials: Protect Yourself, Protect Your Supply Chain

essidsolutions

Device and IoT manufacturers must manage risk around the rapidly growing dependency on open source software, which directly impacts trust among software supply chain vendors and suppliers. How a software bill of materials (SBOM) plays a critical role, discusses Mark Gisi, director of the open source program office at Wind River Systems.

Imagine that you’ve injured yourself. You think you’ve broken a bone—maybe a toe. You go to a doctor to determine what’s happened and how to treat the injury. 

Who would you trust more? The doctor who just looks at the outside of your foot or the doctor who orders and reads an x-ray for clarity into what’s actually going on inside. 

Just as x-rays provide insight to what’s happening in your body, an open source software bill of materials (SBOM) provides details of what’s going on inside your software and how to handle it. 

Device and IoT manufacturers need to effectively manage risk around the rapidly growing dependency on open source software (OSS), which directly impacts trust among software supply chain vendors and suppliers. For this reason, the SBOM is a cornerstone of every robust software composition analysis (SCA) program. Here we’ll look at why that is, the critical role the SBOM plays in establishing trust around the use of open source, and why a quality SBOM is essential to the success of both internal and external stakeholders.

The Growing Dependency on Open Source Software

Modern day software solutions have a rapidly growing dependency on OSS. The majority (>80%) of contemporary devices are constructed from open source; device manufacturers then write apps on top of that to create the functionality they need. Using open source comes with the mandate to do so responsibly, including complying with all licenses. There are more than 100, including Apache, BSD, GPL, LGPL, MIT, OpenSSL, Python, and many more. 

You can’t comply with the open source component licenses unless you know what components exist. In the software supply chain, knowing exactly what’s in your code will help minimize risk. Mitigating risk around your use of open source software fosters customer trust in the safety and compliance of your product, while simultaneously contributing to your value proposition.

Learn More: What’s Next for DevOps Automation? 7 Predictions and Trends for the Year Ahead

Importance of Trust in Open Source

When companies buy any software product, they want to know what’s in the code. Over the past decade or so, the focus of trust in open source has grown. Several key milestones in the evolution of technologies that help establish trust include: 

    • 2010: Software Package Data Exchange (SPDX) data exchange format is a Linux Foundation-led initiative that provides a standard for exchanging software component information among organizations, which includes file level licenses, copyrights, and more recently security references. The SPDX format is often used to share the output of a comprehensive source code analysis and has been recently approved to become an ISO standard in 2021.
    • 2015: The Linux Foundation’s OpenChain initiative defines the set of requirements every high quality open source compliance program must satisfy. Adopting and conforming to this specification conveys that a company’s handling of open source can be trusted, which in turn provides a competitive advantage. Open Chain became an ISO standard in 2020.
    • 2020: The National Telecommunications and Information Administration (NTIA) advanced efforts for increased transparency into software components through its guidelines for SBOMs. The U.S. Food & Drug Administration (FDA) is also requiring a bill of materials for medical device vendors.
    • 2021: President Biden signed the executive order on improving the nation’s cybersecurity, giving customers and the government, alike, insight into flaws and risks in software and their respective devices.
    • 2025: Already used for tracking drug and medical supply chains, blockchain will provide an open source chain of custody tracking, making it a critical pillar for establishing trust across the software supply chain in the coming years.

As these initiatives gain momentum, customers are increasingly eager to know what’s in their code. An SBOM provides that transparency, protecting them from risks and vulnerabilities in the supply chain, such as the SolarWinds hack discovered in December 2020. The SBOM provides a broad range of benefits by facilitating the management of risks related to export compliance, licensing, safety, security, and mergers & acquisitions (M&A) events.

Learn More: It’s Time for the Industry to Sunset SDKs for Collecting User Data

Why Embedded Devices Need SBOMs

Because of how it is distributed, an embedded device carries higher risks compared to a software-as-a-service (SaaS) solution. An embedded operating system functions as the nervous system of a product. Comprehensive insight into each of its components is necessary in order to ensure security, compliance (with licenses and for export), and functional safety analysis. 

Every company that has open source in its device must also deliver a collection of compliance artifacts in order to ship that device. The artifacts may include the source code, legal notices, an open source SBOM, and SPDX data. Simply put: you can’t ship your product if you’re not compliant.

As such, customers value an SBOM and, increasingly, are including it as a contractual obligation. In 2020, the number of contracts where an SBOM was requested by our customers more than doubled over 2018. All embedded device manufacturers will soon be called on to deliver an SBOM, if not doing so already.

Learn More: Why Blockchain Will Redefine the Internet of Things (IoT)

Components of a Quality SBOM

Although an industry standard SBOM isn’t yet formalized, we have been preparing and delivering SBOMs with our products for almost a decade. We continue to evolve its content based on current industry practices where today we include:

  • Component name, 
  • Components’ top level license, 
  • Compliance legal notices, and
  • SPDX data.

Sample open source software bill of materials. (Source: Wind River Systems)

The SPDX data is provided for every open source package (component). (A package with 1,000 files will have 1,000 entries for the SPDX data, for example.) The machine-readable text enables customers to import fine granular data into their compliance program, providing license designations, file-by-file; this data can also be provided in an Excel spreadsheet for human consumption. By having the SPDX data stored in a standard format, customers can easily transform it into another more preferred format.  

Organizations must balance the amount of time they invest in codebase scanning and analysis with the desired quality of the output. This is where the right tooling can yield a higher quality bill of materials in less time. Companies can use software composition analysis tools to help identify all evidence of the open source software used—thereby enabling them to take the open source vulnerability and license compliance programs to a higher level. The tools can also be used to validate what’s in their vendors’ source code—proverbially speaking, the tools help companies to look for the open source needle in the proprietary haystack.

The quality of the bill of materials is a function of several factors. At the basic level, it can include data pulled from automated SCA. A more robust SBOM is generated by combining automation with engineering disclosures. The highest quality SBOM (required by our largest customers) is one that integrates automation, disclosures, and analysis—effectively combining tooling with human review. 

Learn More: Data Is the New Oil, and That Makes It an Environmental Hazard

Value of SBOMs

Beyond providing assurance to your customers, the SBOM is a core pillar that supports various internal functions, including license compliance, security management, export compliance, and functional safety (particularly imperative for products that could pose a risk of physical harm, from elevators to airplanes.) Without a quality bill of materials, other functions suffer. 

With the x-ray vision provided by an open source SBOM, you’re able to provide an inside look. This critical asset helps establish much greater trust with customers, demonstrating that the supplier is highly disciplined with the handling and use of open source software. The precautions you take to protect yourself and your supply chain can help you build trust with—and deliver value to—your customers. 

Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA