Transparency in the Software Supply Chain: Making SBOM a Reality

The presentation discusses the importance of transparency in supply chain risk management and the need for a standardized approach to component identification.

• Transparency in supply chain risk management is crucial for businesses to make informed decisions about the software components they use.
• A standardized approach to component identification is necessary to achieve transparency and enable automation.
• The NS Bob program aims to harmonize existing efforts and foster innovation in this area.
• The program has four working groups focused on different aspects of the problem.
• The main focus is on identifying software components and their relationships through a recursive approach.
• The benefits of this approach include improved security, efficiency, and cost savings.
• Real-world examples of companies asking for this information demonstrate the growing demand for transparency in supply chain risk management.

The speaker shared two stories to illustrate the importance of transparency in supply chain risk management. One was about a large bank that asks for component information from vendors to reduce costs, and the other was about the Mayo Clinic asking for this information to make informed decisions about the software they use. These examples demonstrate the growing demand for transparency in this area.

We can't buy a piece of candy without knowing its ingredients, or design and sell a piece of machinery without accounting for each nut and bolt. Yet, even as supply chain uncertainty has emerged as a top information security risk, there is limited visibility into the third party components on the software running on our networks, and little market incentive for software suppliers to actually track their third party dependencies. A "software bill of materials," or SBOM, can promote transparency of what code we're actually using across the entire software supply chain. Last summer, the US Department of Commerce launched a new "multistakeholder initiative" and convened experts to find consensus on the viability of this idea, and how we can make it a reality without government regulation. Participants from a range of sectors have spent the last year exploring this idea and its application in domains ranging from open source development to commercial DevOps to embedded medical devices. This briefing will announce the initial results of that open, international, stakeholder-driven process. Participants found a shared vision of what an SBOM looks like, including sketching out a minimum viable product and optional extensions for different use cases. They conducted research across a range of sectors to identify existing practices and how different parts of the supply chain could be improved with the availability of SBOM data. Stakeholders also identified two existing and interoperable data formats (SWID and SPDX) that can be used to convey the SBOM data. A set of stakeholders even launched and documented a proof-of-concept exercise. We have collectively started to identify tools and formal processes to enable automation. Moving forward, we will need even greater participation and community buy-in to promote awareness and adoption, as well as identifying further challenges that we can tackle together.