The full story of Software Bill of Materials (SBoM)
Why should DevOps practitioners be interested in Software Bill of Materials (SBoM)? Firstly, being responsible for “producing things” (binaries and executables) DevOps has immediate access, at the time when it is created, to the data that is needed for constructing an SBoM for a binary or executable, which makes it a lot easier and faster to construct and its data more consistent. Secondly, the use of an SBoM is not limited to searching for vulnerabilities. It has many other use cases that are very useful during the development and maintenance of a product. So DevOps will not only be “producers” of SBoMs, but can also be very active “consumers” of SBoMs in their daily work.
The American NTIA has worked hard to make SBoMs a legal requirement for delivering software to the American government - and other sectors may follow in the future. The NTIA has been very focused on cybersecurity and sees an SBoM as “a list of ingredients used for vulnerability scan”. Even if this is an important use case, an SBoM is much more than just a list of ingredients and the range of use cases for an SBoM is much wider than a simple scan for vulnerabilities. The concept of SBoM also has a much longer and varied history than recent security incidents.
In this talk, we present and motivate a number of the 10 overarching use case categories (of which “vulnerability scan” is only one) that we have distilled from an extensive literature study and numerous interviews with practitioners. Furthermore, we sketch the requirements that are needed for implementing a selected set of these use case categories. Finally, we list a number of general, cross-cutting considerations that you should take into account if you want the operation of SBoMs to be smooth and powerful.
With this knowledge, DevOps practitioners will be able to utilize and exploit the concept of SBoM to its full potential and provide better service and support for development teams and organizations.
- Lars is an associate professor at Lund University. His main research interest is software configuration management and how it can be used to support various software development processes and different contexts – and he teaches an academic course on software configuration management.