Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireTechnologies & SolutionsSecurity Leadership and ManagementLogical SecurityCybersecurity News

Understanding SBOMs: A snapshot of your software security

By Tim Kenney
software security

Image by macrovector via Freepik

December 7, 2022

In May of 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity. The order directs government agencies to make sweeping changes to ratchet up software security policy at the Federal level. 

 

The order set into motion a flurry of activity across government agencies, as some of the nation’s top cybersecurity experts work diligently to ensure the technological infrastructure underpinning our civic lives is in alignment with these new regulations. 

 

In the midst of these conversations about securing the software supply chain, one term consistently rises to the forefront: SBOM. 

 

SBOM stands for Software Bill of Materials. It’s an accounting of all the components in a software application. More precisely (per the NTIA), an SBOM is a “complete, formally structured list of components, libraries and modules that are required to build a given piece of software and the supply chain relationships between them.”

 

As a result of the Executive Order, we can expect that all developers and software suppliers doing business with the federal government will be required to provide SBOM. The timeline for compliance has not yet been established, but the policy is moving quickly, and we are likely to see these regulations in place within the year. And it’s not just the feds who should be thinking about SBOMs; any enterprise owner looking to secure their software supply chain should be familiar with SBOMs and require them from their software vendors.

 

Today, more than 90% of all new software is built using open-source components. The upside of open source code is that the opportunities are limitless - developers have unprecedented freedom and access to create new applications using existing building blocks. The downside is that, in many cases, those components contain vulnerabilities and deeply embedded licensing restrictions that jeopardize the integrity of the package.

 

An SBOM solves that by providing transparency.

 

What’s in an SBOM?

The NTIA defines the minimum elements to be included in an SBOM.

 

●     Supplier Name The name of an entity that creates, defines, and identifies components.

●     Component Name Designation assigned to a unit of software-defined by the original supplier.

●     Version of the Component Identifier used by the supplier to specify a change in software from a previously identified version.

●     Other Unique Identifiers Other identifiers that are used to identify a component or

serve as a look-up key for relevant databases.

●     Dependency Relationship Characterizing the relationship that an upstream component

X is included in software Y.

●     Author of SBOM Data The name of the entity that creates the SBOM data for this component.

●     Timestamp Record of the date and time of the SBOM data assembly.

 

License information (and license text) is also often included. 

 

There are a number of tools in the market available for generating and publishing SBOMs. It’s important to remember, however, that an SBOM is just a snapshot in time. In order to truly secure your software supply chain, you must continuously check for new vulnerabilities. Yesterday’s SBOM is no more useful than the Covid test you took last week. There are always new risks emerging, and scanning must be a constant, ongoing process. 

KEYWORDS: cybersecurity risk management software security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Tim Kenney is on a mission to democratize software security. As President and COO of SOOS, Tim and his team are dedicated to ensuring all developers have the tools they need to identify and remediate code vulnerabilities, making software safer for everyone.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Data cloud security

    Better software supply chain security through SBOMs

    See More
  • Dim lightbulb

    Understanding the security risks of outdated software

    See More
  • 5 mins with Soby

    5 minutes with Brian Soby - Understanding Software as a Service (SaaS)

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing