30.Lock Globe Motherboard

To really secure software, you need to know what's inside its code. That's why a software bill of materials is essential today. It used to be that we didn't worry that much about our code's security. Bad binaries, sure. The code itself? Not so much. We were so foolish.


Then came one security slap in the face after another: The SolarWinds software supply chain attack, the ongoing Log4j vulnerability, and the npm maintainer protest code gone wrong have made it clear that we must clean up our software supply chain. That's impossible to do with proprietary software since its creators won't let you know what's inside a program. But with open-source programs, this can be done with a software bill of materials (SBOM), pronounced “s-bomb”.

Indeed, SBOMs are no longer just a good idea; they're a federal mandate. According to President Joe Biden's July 12, 2021, Executive Order on Improving the Nation’s Cybersecurity, they're a requirement. The order defines an SBOM as "a formal record containing the details and supply chain relationships of various components used in building software." It's an especially important issue with open-source software, since "software developers and vendors often create products by assembling existing open-source and commercial software components."