Trust and transparency
Interestingly , the 2023 Open Source Security and Risk Analysis ( OSSRA ) report found that 91 percent of audited codebases contained outdated versions of open source components , and that most commercial software is based on open source components . Unless an organization maintains an accurate and up to date SBOM , an outdated component can easily be forgotten until it becomes vulnerable to a high-risk exploit .
Where a cheesecake recipe might have a dozen ingredients , modern software can have over 600 components in its ingredient list – even if there are only a dozen explicitly declared components to the software recipe . When dealing with such a large number of components , identifying each component by name becomes particularly difficult .
For example , was the version of openssl used in the application downloaded from GitHub , compiled from an official source tree , distributed with an operating system or embedded in a commercial software package ? Each of these versions likely have different authors , or suppliers , and could easily have different configurations and features . Uniquely identifying each version is critical when addressing a risk , such as patching a vulnerability .
The good news is that steps are being taken globally and initiatives are already underway to strengthen software security practices through supply chains . Standard SBOM formats such as Software Package Data Exchange ( SPDX )
and CycloneDX allow organizations to
exchange information as well as build trust and transparency in the way software is created , distributed and used . SPDX is also known as ISO / IEC 5962:2021 , which makes it an international open standard . While most of the recent attention paid to SBOMs can be traced to President Biden ’ s 2021 Executive Order 14028 on Improving the Nation ’ s Cybersecurity , the reality is that SBOMs have been quite common with regulators like the FDA or IMDRF as a means to validate the software risks present in medical devices . This same use case is maturing within automotive supply chains and isn ’ t just an American phenomenon .
Software supply chain
Having said that , there is still some way to go in the maturity of the SBOM market . Although standards do encourage the sharing of information , most organizations are struggling to generate accurate and complete SBOMs and recipients of SBOMs often don ’ t have processes to benefit from the information in an SBOM . It is also easy to fall into the perception that having a list of components is enough , but really , organizations need to actively engage and manage their software supply chain . One way to overcome these challenges and the complexity of tracking all the components making up an application is to employ an automated software composition analysis ( SCA ) tool . Automation ensures your SBOM is accurate and up-todate , taking measures to protect the
91 percent of audited codebases contained outdated versions of open source components , and most commercial software is based on open source components
16