Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

Cybersecurity Leaders Scramble to Decipher SBOM Mandate

The U.S. government’s push for mandatory SBOMs has sent cybersecurity buyers and sellers scrambling to understand the ramifications and prepare for downstream side-effects.


The U.S. government’s push for mandatory SBOMs (software bill of materials) to provide software transparency in the face of supply chain attacks has sent cybersecurity buyers and sellers scrambling to understand the ramifications and prepare for downstream side-effects.

Since U.S. president Joe Biden signed the now-infamous cybersecurity executive order in May this year, there have been countless virtual workshops and live panel discussions focused on understanding the basics of SBOMs and how they would help address software supply chain attacks.

At its core, an SBOM is meant to be a definitive record of the supply chain relationships between components used when building a software product. It is a machine-readable document that lists all components in a product, including all open source software, much like the mandatory ingredient list seen on food packaging.

The National Telecommunications and Information Administration (NTIA) has been busy issuing technical documentation, corralling industry feedback, and proposing the use of existing formats for the creation, distribution and enforcement of SBOMs.

This flurry of activity has sent cybersecurity buyers and sellers scrambling to understand the downstream ramifications but, for Sounil Yu, a security veteran with leadership stints at Bank of America, YL Ventures and now JupiterOne, the energy around SBOMs is long overdue.

“I’ve been an advocate for SBOMs for a while. When I was at Bank of America, I was in various [industry financial services] advocating for SBOMs to provide transparency about the software we were buying and using,” Yu said in a recent interview.

Yu pushed the envelope at his new company, JupiterOne, an early-stage startup that sells cybersecurity products. One his first tasks as JupiterOne CISO was to go public with an SBOM as part of the company’s trust and transparency documentation.

“That was actually the first question I asked the team. Do we have an SBOM?  At the time I knew that the SBOM requirement would come out in the executive order so I wanted to be a little bit prepared to know whether or not we could produce an ingredient list of everything in our product,” Yu explained. 

Yu viewed the company’s ability to generate an SBOM as a sign of maturity and he wanted to use the document to provide a baseline level of transparency for buyers and, even more importantly, remediate licensing risks and security vulnerabilities during the development process.

While the SBOM is a new acronym on the agenda list for modern CISO meetings, Yu expects activity around software ingredients list to take center stage as a critical part of the open source governance process.

He sees SBOMs not as something futuristic, but more as “completion of the past” where the collection and maintenance of a very thorough inventory of our software assets suddenly becomes realistic.

“Unfortunately we don’t really have that today, at least not at the level of granularity that helps us understand whether or not we’re exposed to a particular vulnerability [in a third-party] component.  When we discover, again, that OpenSS or some open-source package might be vulnerable, we really don’t know our exposure because we don’t have an inventory.”

“This [SBOMs] can help bring a level of completeness to the inventory process,” he said, arguing that security vendors will find multiple side-benefits around software licenses, patching open-source components and dependencies, and maintaining a modern technology stack. 

The JupiterOne security chief urged his CISO peers and entrepreneurs to actively participate in the industry dialog around supply chain security issues and stay current with new standards and formats that will emerge from ongoing consultations.

Robert M. Lee, co-founder and chief executive at industrial cybersecurity vendor Dragos, agrees that SBOMs could provide major benefits to both buyers and sellers but cautioned that it will be “extraordinarily hard to operationalize” once SBOMs identify weaknesses deep in the chain.

During a recent fireside chat at SecurityWeek’s APAC ICS Cyber Security Conference, Lee said he expects SBOMs to help provide visibility to security risk exposure from software but due to the nature of threats in ICS environments, he doesn’t expect it to move the needle on vulnerability management programs.

Lee also sees value for SBOMs in the procurement process where an outdated library or software component would be flagged early in the purchasing process. He also expects the SBOM mandate to help clean up software licensing processes among both buyers and sellers. 

The U.S. Commerce Department’s NTIA has been out front advocating for SBOMs with a wide range of new documentation including:

• SBOM at a glance – an introduction to the practice of SBOM, supporting literature, and the pivotal role SBOMs play in providing much-needed transparency for the software supply chain.

• A detailed FAQ document that outlines information, benefits, and commonly asked questions.

• A two-page overview provides high-level information on SBOM’s background and eco-wide solution, the NTIA process, and an example of an SBOM.

• A series of SBOM Explainer Videos on YouTube.

Separately, the open-source Linux Foundation has released a batch of new industry research, training, and tools aimed at accelerating the use of a Software Bill of Materials (SBOM) in secure software development.  These include documentation on SPDX, a standard for SBOM requirements and data sharing.

The Linux Foundation also published a new SBOM survey highlighting the current state of industry practices to establish benchmarks and best practices; a new SBOM training course on Generating a Software Bill of Materials to accelerate adoption; and SBOM tools to enable software development teams to create SBOMs for their applications

The free online training course on Generating a Software Bill of Materials (LFC192) promises foundational knowledge about the options and the tools available for generating SBOMs and how to use them to improve the ability to respond to cybersecurity needs. 

The open-source group also released SPDX SBOM generator, a command-line tool used to generate SBOM information, including components, licenses, copyrights, and security references of applications.   The tool uses the SPDX v2.2 specification and aligns with the current known minimum elements from NTIA. 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...