How to use Software Bill Of Materials (SBOM) to protect the supply chain from cyberattacks?

Hello,

How can an organization use SBOM to prevent some supply chain cyberattacks? Can you share any practical examples?

What tools can be used for this purpose?

Evgeny Belenky

Director of Community at PeerSpot (formerly IT Central Station)

2 Answers

Last answered Jan 17, 2022

ZvikaRonen

Chief Technology Officer at FOSSAware

Real User

Top 10

Jan 17, 2022

It depends, if the organization creates its software, then SBOM shell be used to monitor new vulnerabilities in order to fix on time and alert the customers.

If the organization is only using the software (supply chain) they should ask, for their critical software, the vendor to provide SBOM in a format that allows self-check of vulnerabilities (zero trust). For non-critical software, the company should address the responsibility in the software procurement agreement. Who is responsible to monitor vulnerabilities, alerting/Fix/mitigation SLA, etc...
A recommended free tool for SBOM tracking is Dependency-Track which can handle SBOM files in the CyclonDX format. There are other formats like SPDX and other tools (some open source and some - commercial).

The most important thing to remember is that SBOM builds trust between SW vendors and consumers. All sides should be alert to a new 0-day that becomes a known vulnerability and protect their customers.

Search for a product comparison in Supply Chain Management Software