The Modem Lisa Background

Software Bill of Materials (SBOM)

What are SBOMs?

Software Bill of Materials (SBOM) is a formal record containing the details and
supply chain relationships of various components used in building software.
These components, including libraries and modules, can be open source or proprietary,
free or paid, and the data can be widely available or access-restricted. As defined and explained on the Cyber Security & Infrastructure Security Administration. You learn all about SBOMs from their PDF on SBOM FAQs and all the other incredible information they have made available on the topic.

Lynn Westfall AKA The Modem Lisa has been involved in the working groups that CISA supports as well as other groups documenting and providing guidance on the topic to the software industry. She recently spoke at SBOM-a-RAMA September 2024 in Denver on the working group she leads which is focused on the attributes, or features and functionality of SBOM related tooling.

Are you ready for SBOM?

If you’re a software development organization, we hope you’ve been preparing to deliver SBOMs with your products since President Biden made his Cyber Security declaration back in 2021. If you’re late to the party, you may be in for a surprise! Generating effective SBOMs isn’t easy! This is why there are so many volunteers working to provide insights and guidance to all areas of the Software Supply Chain.

On the other side, for companies that don’t have internal or external development to be concerned with, you have to be ready to process incoming SBOMs with your purchased or otherwise acquired software. This means preparing your Procurement or Sourcing teams to ask the right questions and having a process in place to review the SBOMs and disseminate the information throughout your organization. While there are plenty of tools in the SBOM market to help with this, none of them are perfect or complete and implementation can be unique to each environment and even process within an organization.

Developers, DevOps or Security

Within development organizations it can be unclear who owns the process of SBOM generation, review and distribution. Having knowledge of the processes across the organization and building SBOM into existing processes during development, build and testing prior to release will increase the likelihood of generating successful distributable SBOMs. Take the time to review your existing SDLC tools and understand what SBOM capabilities may already exist in your organization before considering additional tools.

Procurement or Sourcing

Some industries have already seen regulations in place requiring SBOM or Software Attestations prior to purchase. The FDA has guidance on Medical Devices and other industries are following closely. This may mean you are well familiar with the processes, or it may mean you’re just already enduring some of the headaches. As much as this may seem like additional burden to the purchasing process, SBOMs can be a negotiation game changer! Use the request as a way to set apart vendors as some will not be prepared to deliver usable SBOMs and others can’t comply at all yet. The lack of a usable SBOM can mean lack of maturity in the product or the processes around the development of the product, but not always. Work with vendors to obtain working documents that are machine readable with human readable output for the areas of the business that may not have automatic access to the data such as Legal. Security organizations are likely using tooling that can import and review SBOMs so be sure to check internally before looking for tooling to support your procurement process.

ITAM and SBOM

IT Asset Management, while holding a special place in the heart of The Modem Lisa, tends to be the last area of the business to get pulled into these critical processes. For better or worse, sometimes ITAM ends up cleaning up the mess of newly procured equipment and software to determine all the third-party components that are also being introduced into their environments. This can be a nightmare without any upfront data to work with if not a mission impossible! By working with Procurement/Sourcing, Legal, Security and all the other areas of IT, an ITAM can also be a hub of information across the organization and become the ultimate SBOM owner, with the knowledge of all the software including SBOM related tools within an organization. Building good SBOM consumption processes can help with managing end of life and updating assets. Working with security to share third party component information can help manage vulnerabilities an bring ease to remediation.

Need some help?

Don’t expect to have a fully automated process! Human intervention with the SBOM tooling is still very much needed both for creation and consumption.

Does your organization have challenges with understanding what SBOM processes it needs to develop? Having trouble locating the right tools either within your organization or on the market?

Whether you need to make good SBOMs to support your customers or need to receive and consume SBOM data or both, The Modem Lisa can help you find the right solutions!

With our extensive experience with different SBOM related procedures and tools as well as IT Procurement, ITAM and Security processes, The Modem Lisa is your go-to for SBOM consulting. We’re here to help you achieve your goals and push the industry as a whole toward Software Supply Chain Transparency!

Send us an email today to get the process started! We can’t wait to support your SBOM processes!