The one exception to this rule is if a serious vulnerability has been identified in one of the software products included in the device , which requires an immediate patch ; in such a case , it is hoped that most device suppliers will quickly issue a special patch or update , without waiting for the next scheduled full device update .
Therefore , device manufacturers should provide a single SBOM for all the software ( including the real-time operating system if present ) and firmware in the device . They should re-issue the SBOM whenever they “ push out ” a new device software update . However , even though the device software is composed of multiple software and firmware products , the manufacturer will not usually provide SBOMs for those individual products , although their customers would certainly welcome that .
SBOMs are a tool for managing risks of two primary types : component licensing risks and component cybersecurity risks . While managing component licensing risks is important primarily for software developers , managing component cybersecurity risks is important for any organization that uses software to achieve their organizational goals – i . e ., just about every public or private organization on the planet , whether a developer or an end user of software .
In fact , probably the most important type of software cybersecurity risk today arises from the presence of vulnerabilities in software components . Vulnerabilities appear frequently , but they are difficult to identify and qualify . This makes component vulnerability risk management one of the hardest tasks confronting any organization that needs to manage security risks posed by its use of IoT or IIoT devices .
How does an organization manage component vulnerability risks using SBOMs ? For usermanaged software products , the steps include those below . Note that all steps after step A require use of an automated tool that can ingest SBOMs and VEX documents , or else a third party service that performs these same tasks on behalf of the organization . Currently ( July 2022 ), there are no tools or subscription-type services available that perform all of these steps , although it is likely that situation will change soon .
A . For every important software product used by the organization ( other than cloud-based software 10 ), obtain the supplier ’ s agreement to provide a new SBOM whenever any change has occurred in the software .
10
Cloud-based software probably contains as many vulnerabilities as on-premises software , so it should be tracked just as closely . However , as of the writing of this article ( April-May 2022 ), there has been little discussion in the SBOM community about how to manage component vulnerability risks for cloud-based software , so it is impossible now to provide guidelines for that process .
Journal of Innovation 75