Last week, Vigilant Ops had the pleasure of presenting at BSides NYC 2024, where our CEO, Ken Zalevsky, and cybersecurity expert, Anita D’Amico, delivered an insightful presentation on the importance of Software Bill of Materials (SBOM) Generation and Management, entitled “The Life of an SBOM: Where does it go and what do people do to it and with it?” In today’s world of regulatory requirements, and transparency demands, SBOMs are quickly becoming a critical element for ensuring security across software supply chains, particularly for industries like healthcare and government.
During their session, Ken and Anita walked the audience through key drivers for SBOM adoption and how managing SBOMs throughout their lifecycle can significantly improve software security and compliance.
Why SBOMs Are Essential for Cybersecurity
With an increasing number of cyber regulations and standards being introduced across industries, SBOMs are no longer a “nice-to-have” but a requirement. Some of the key motivations for SBOM adoption discussed during the session include:
- Executive Order 14028: This landmark order mandates that all software acquired by the U.S. government, with the exception of open-source software, must have an accompanying SBOM. This ensures that the federal government has transparency into the components of all software products.
- DHS CISA Attestation: The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) mandates adherence to the Secure Software Development Framework (SSDF), which emphasizes the need for SBOMs to enhance transparency and security.
- FDA Guidelines for Medical Devices: As of October 2023, medical device manufacturers must comply with new cybersecurity requirements to secure FDA approval. SBOMs are central to these guidelines, ensuring that the ingredients of every medical device are fully documented for safety and security.
- Emerging U.S. Hospital Regulations: As hospitals continue to digitize and adopt new technologies, new SBOM regulations are expected to impact how hospitals manage the security of their software systems and protect patient data.
What Exactly Is an SBOM?
An SBOM acts as a comprehensive inventory of all ingredients in a piece of software or device, similar to a nutritional label on food. The SBOM is usually generated by a software development team as part of the software’s creation, either as a Source SBOM or a Build SBOM, and can also be generated after deployment, known as a Deployed SBOM.
Ken and Anita emphasized that SBOMs are typically delivered in standardized formats such as SPDX, CycloneDX, or SWID, enabling consistency across the industry. These SBOMs provide a critical view into the components of software, which is essential for detecting vulnerabilities, ensuring compliance, and supporting secure software procurement processes.
Managing SBOMs Across Their Lifecycle
SBOM lifecycle management, or SBOM Operations, involves the actions taken by software producers, distributors, and consumers after the initial SBOM generation. This dynamic process is necessary to enhance software security, supply chain transparency, regulatory compliance, and license compliance throughout the software’s lifecycle—from production to release, deployment, and maintenance.
Anita and Ken both agreed that it’s a complex, multi-player ecosystem. They presented on how organizations need to manage SBOMs across the full spectrum of their software lifecycle and ensure that all key stakeholders, including software release engineers, AppSec teams, procurement departments, and incident responders, are involved.
SBOM Management Is a Journey
SBOM management is a journey, not a one-size-fits-all solution. Each organization is at a different stage based on their needs and the industries they serve. Whether it’s a government contractor needing SBOMs to comply with EO14028, a healthcare provider safeguarding medical devices under FDA guidelines, or a software distributor improving transparency across their supply chain, SBOM management must be flexible and adaptable.
Ken and Anita highlighted that understanding where your organization is on this journey is key to maximizing the value of SBOMs and ensuring a secure, compliant future.
Looking Forward
The presentation at BSides NYC sparked engaging discussions about the future of SBOMs and their role in mitigating cybersecurity risks. As SBOM adoption continues to grow, Vigilant Ops is committed to helping organizations navigate the evolving landscape of SBOM lifecycle management to enhance security, transparency, and compliance.
To download Ken and Anita’s full presentation from BSidesNYC, please fill out the form below.
