What Is an SBOM? The Importance of a Software Bill of Materials

Cyber attacks like Log4Shell have led the Biden administration to work closely with security experts, as well as the Cybersecurity and Infrastructure Security Agency (CISA) to produce government resources and legislation intended to improve the United States’ security posture.

Default Author Image
August 24, 2022

On August 17, the US House of Representatives passed H.R. 7900 – National Defense Authorization Act for Fiscal Year 2023, and section 6722 states that all organizations seeking to conduct business with the Department of Defense (DoD) or the Department of Energy (DoE) are now required to provide a Software Bill of Materials (SBOM) for every new and existing software contract.

What is a Software Bill of Materials (SBOM)?

A Software Bill of Materials (SBOM) is technical documentation that lists the various components used in a specific piece of software. Very similar to a list of ingredients, a SBOM includes third-party libraries, Open Source Software, and commercial libraries used by the software.

Although the concept may seem simple, organizations are often not aware of every component contained in deployed software, and this creates serious security concerns—since one vulnerable component can introduce an opening for threat actors to exploit. Situations like these have been observed in recent supply chain attacks, but the full force of this was felt when Log4Shell was discovered. Hundreds of vendors were caught off-guard since many vendors were unsure if their own products contained vulnerable versions of the widely-used log4j library. Months after the initial disclosure, vendors were still publishing advisories and fixes for their own software.

How Flashpoint assists SBOM use cases

SBOM, CycloneDX, and Dependency-Track

Organizations will be facing incredible pressure from their own leadership, as well as the federal government to produce and maintain SBOMs. In order to assist organizations, Flashpoint’s VulnDB® offering integrates with SBOM standards like CycloneDX. Designed by Steve Springett, Senior Architect at ServiceNow in 2017, it was developed for use with the open source OWASP Dependency-Track Project.

Early last year, Steve spoke with Jake Kouns, General Manager at Risk Based Security to define SAST, DAST, IAST, SCA, and SBOM—in addition to the PURL standard. Check out the video below to learn more about SBOMs, and how CycloneDX generates them (timestamps included):

Remediating vulnerabilities affecting listed items

While having the ability to create SBOMs is important, being able to identify and remediate vulnerabilities affecting listed items is equally as vital. However, organizations may discover that triaging and remediating vulnerabilities affecting listed items, especially components involving third-party libraries and open source software could prove difficult.

Chances are that once a bill of materials is generated, security teams will have to conduct lengthy research triaging discovered components. However, even after hours of research, teams may have little to no results if relying on CVE / NVD. This is due to the fact that CVE / NVD lacks significant coverage of vulnerabilities affecting third-party libraries, open source software, and legacy software. And for the vulnerabilities that they do capture, they often lack actionable details needed for remediation.

Therefore, to maintain a quality SBOM, organizations need comprehensive and detailed vulnerability intelligence. Using VulnDB®, security teams have access to over 297,000 vulnerabilities, including over 94,000 missed by CVE / NVD.

Each vulnerability entry found in VulnDB® has actionable metadata and all known details. VulnDB® captures the following and more:

Exploit detailsYesLimited
Attack location detailsYesLimited
Solution detailsYesLimited
Technical notesYesNo
Affected productYesLimited
Affected versionsYesLimited
Vendor & Product Risk RatingsYesNo

Maintain quality SBOMs with Flashpoint

Organizations that are able to provide quality SBOMs to their supply chain, as well as regulatory agencies will be able to demonstrate a strong security posture. Using VulnDB®, organizations can discover critical vulnerabilities affecting listed items in their bill of materials—and use Flashpoint data to address them in a timely manner. Sign up for a free VulnDB® trial to take advantage of quality vulnerability intelligence, as well as its integration with CycloneDX.

Do you have certain third party libraries or OSS components that you need researched? Contact us to add specific coverage to your vulnerability intelligence needs.

Begin your free trial today.