What Is a Software Bill of Materials?
Ed Moyle, systems and software security director at Drake Software and member of the ISACA Emerging Trends Working Group, defines a software bill of materials as “a manifest of things — software components and dependencies — within a piece of software.” Because software is not always created from scratch but can be drawn from various commercial or open-source components, the bill of materials provides a full list of what’s inside, typically after the software is completed.
The SBOM also helps track dependencies, inter-dependent relationships between software components that help them function. Tracking those is no small challenge. “This is harder than it sounds because each dependency has its own set of dependencies,” says Moyle.
Thankfully, that’s why most SBOMs are autogenerated. “There are scanning tools that do the job of scanning a piece of software to identify all the dependencies it has — including the less obvious pieces — in building out a software bill of materials,” says Al Gillen, group vice president for software development and open-source research at IDC.
What Goes into a Software Bill of Materials?
The National Telecommunications and Information Administration has created a useful standard for what should go in an SBOM. They cover three primary areas:
- Data fields: These spell out basic information about software components, including supplier name, component name, component version, unique identifiers, dependency relationships, software bill of materials author and time stamp.
- Automation support: A software bill of materials is required to be in a machine-readable format such as SPDX, SWID tags or CycloneDX. That’s important because creating a software bill of materials is too difficult for a human to do alone. “Trying to track all dependencies manually would be tremendous work, if not ultimately impossible,” says Moyle.
- Practice and processes: This element details the specifics about the use of a given software bill of materials, such as how it is distributed, how it deals with mistakes, and how it identifies unknown elements in software components.