Despite its simplicity, the "software bill of materials" (SBOM) has been met with apathy and hostility, especially in policy circles. Why has this common industrial concept been so unpopular when translated into the information security context, and how can it potentially revolutionize our industry? This talk will shed light onto the policy context of this discussion, and lay out a vision of how members of the security community can win over the naysayers to foster greater transparency.
The US Department of Commerce recently announced a new 'multistakeholder initiative' on software bill of materials. The goal is for software and IoT vendors to share details on the underlying components, libraries, and dependencies with enterprise customers. This transparency can catalyze a more efficient market for security by allowing vendors to signal quality and giving enterprise customers key knowledge—you can't defend what you don't know about.
This transparency creates a new paradigm of shared security responsibilities, where an enterprise customer can have greater insight into what is running on their network. This, in turn, complicates existing relationships between vendor and customer. With this transparency, how can vendors offer assurances that a discovered vulnerability doesn't affect a particular product? How can vendors safeguard trade secrets with an incomplete SBOM, along the lines of "natural and artificial flavorings" on an ingredient list? And lastly, how will this inform the emerging debate over end-of-life in the IoT space, particularly for medical devices and automobiles that have a physical life space beyond their software support model? None of these hurdles are insurmountable, but solutions will require finding common ground. A world where SBOMs are more common can be a more secure world, but we'll need to tackle the newly raised policy issues as well.