A "software bill of materials" (SBOM) that lists third party components can help the open source community, developers, software vendors, and enterprise customers address security risks, vulnerabilities, and supply chain concerns. Visibility into the underlying third party components the undergird software can help those across the supply chain make better security decisions about a range of risks. To date, however, there has not been a widely accepted practice on how to assemble and communicate this data between those developing software and those securing it or using it. Without visibility into third party components, developing organizations cannot understand the deeper security risks in what they assemble, organizations lack insight into security risks from outdated or insecurely sourced open components in what they are building or buying, and security teams cannot easily and efficiently determine whether their systems are potentially at risk from newly discovered vulnerabilities.
What was once heresy is becoming a reality! This talk will present on progress made in a recent cross-sector effort convened by NTIA, and give an overview on the whats, the whys, and the hows of SBOM and software component transparency.