We can't buy a piece of candy without knowing its ingredients, or design and sell a piece of machinery without accounting for each nut and bolt. Yet, even as supply chain uncertainty has emerged as a top information security risk, there is limited visibility into the third party components on the software running on our networks, and little market incentive for software suppliers to actually track their third party dependencies.
A "software bill of materials," or SBOM, can promote transparency of what code we're actually using across the entire software supply chain. Last summer, the US Department of Commerce launched a new "multistakeholder initiative" and convened experts to find consensus on the viability of this idea, and how we can make it a reality without government regulation. Participants from a range of sectors have spent the last year exploring this idea and its application in domains ranging from open source development to commercial DevOps to embedded medical devices.
This briefing will announce the initial results of that open, international, stakeholder-driven process. Participants found a shared vision of what an SBOM looks like, including sketching out a minimum viable product and optional extensions for different use cases. They conducted research across a range of sectors to identify existing practices and how different parts of the supply chain could be improved with the availability of SBOM data. Stakeholders also identified two existing and interoperable data formats (SWID and SPDX) that can be used to convey the SBOM data. A set of stakeholders even launched and documented a proof-of-concept exercise. We have collectively started to identify tools and formal processes to enable automation. Moving forward, we will need even greater participation and community buy-in to promote awareness and adoption, as well as identifying further challenges that we can tackle together.