Presentation by Anita D’Amico and Ken Zalevsky at BSidesNYC Conference
SBOM Lifecycle Management: Moving Beyond Compliance
An SBOM (Software Bill of Materials) isn’t just a checklist item; it’s a strategic asset. Yet, many organizations struggle to unlock its full potential, treating SBOMs as static documents rather than dynamic tools. This was the focal point of a compelling session at BSidesNYC, where Ken Zalevsky, Vigilant Ops CEO, and Anita D’Amico, Cotopaxi Consulting President, shed light on best practices, regulatory mandates, and the emerging discipline of SBOM Lifecycle Management. Here’s how organizations can go beyond compliance and harness the true power of SBOMs.
What is an SBOM? At its core, an SBOM (Software Bill of Materials) provides a detailed inventory of the software components within a system. It includes essential information like supplier name, component name, version details.
SBOMs are typically formatted in standards like SPDX and Cyclone DX, enabling producers to share this information with consumers seamlessly. But here’s the catch: the vulnerabilities associated with those components are not part of the minimum SBOM data. This means the real work begins after the SBOM is generated.
The Problem with the ‘Check-the-Box’ Mentality
Organizations often generate SBOMs to meet regulatory requirements—whether it’s the FDA’s mandate for pre-market medical device submissions or broader government contractor rules under Executive Order 14028. However, the issue arises when these SBOMs are treated as mere compliance documents, with no further action taken. Simply handing off an SBOM without actionable steps results in missed opportunities to enhance security and manage risks effectively.
As Ken Zalevsky pointed out, simply passing along an SBOM doesn’t help the recipient. Organizations must take deliberate and proactive actions to identify and address vulnerabilities, curate third-party risks, and integrate SBOM data into their broader cybersecurity strategies to gain real value.
Emerging Best Practices
- Triaging and Curating Vulnerabilities: Organizations must go beyond merely identifying vulnerabilities listed in third-party components. Triaging—or prioritizing—these vulnerabilities and requiring vendors to propose mitigations are critical steps.
- Linking SBOMs with Hardware Assets: For industries like medical devices, aligning SBOMs with corresponding hardware is not just important, it’s essential. This integration enables a holistic view of vulnerabilities across the entire system, a view that is indispensable for effective risk management.
- Synthesizing Guidance from Key Agencies: Organizations are leveraging insights from agencies like CISA, NIST, and NSA to establish best practices for SBOM generation, dissemination, and consumption. They’re staying ahead of the curve by normalizing SBOMs to meet evolving standards.
SBOM Lifecycle Management
The next frontier SBOM Lifecycle Management, also known as SBOM Operations, is an emerging market. It encompasses all the actions taken after generating an SBOM to derive value beyond compliance. Key stakeholders in this process include:
- Producers: Those creating the SBOM.
- Distributors: Entities responsible for sharing the SBOM.
- Consumers: Organizations using the SBOM to evaluate and mitigate risks.
Actions in SBOM Lifecycle Management include:
- Identifying and addressing vulnerabilities
- Automating updates to reflect evolving software and hardware configurations
- Aligning with industry and regulatory standards
Regulatory Drivers Fueling Adoption
From the FDA’s guidance on medical devices to Executive Order 14028, regulatory mandates are driving SBOM adoption across industries. These regulations underscore the need for transparency and proactive vulnerability management, making SBOM Lifecycle Management a critical capability for organizations.
Looking Ahead
As SBOM Lifecycle Management gains traction, organizations must shift their mindset from “generate and forget” to “generate, act, and improve.” By doing so, they can:
- Enhance supply chain transparency
- Strengthen cybersecurity postures
- Meet compliance requirements with confidence
Vigilant Ops is here to help. Our SBOM Lifecycle Management platform empowers organizations to manage SBOMs dynamically, ensuring they deliver value beyond compliance.
Ready to take your SBOM strategy to the next level? Contact us today to learn how we can help you implement best practices for SBOM Lifecycle Management.
