Sounil Yu, CISO at JupiterOne, discusses software bills of materials (SBOMs) and the need for a shift in thinking about securing software supply chains.
In the wake of the SolarWinds attack last year, President Biden issued an executive order in May advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter supply-chain attacks.
For reference, SBOMs are machine-readable documents that provide a definitive record of the components used to build a software product, including open-source software. As a security professional, I am encouraged by the SBOM mandate because it is a step towards providing greater transparency for the software that all organizations must buy and use.
Since the executive order, software makers and buyers have been trying to make sense of how SBOMs support supply-chain security. Undoubtedly, many see it as a headache, but I believe it is a sensible safeguard. Part of our problem around supply chains is that we trust in them too much. We have learned the benefits of a zero-trust security model and applied this concept to our networks and endpoints, but we haven’t quite figured out how to do this for our supply chains. We still rely