Understanding SBOMs in Real-World Systems – A Practical DevOps/SecOps Perspective

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 523))

Included in the following conference series:

International Symposium on Business Modeling and Software Design

164 Accesses

Abstract

Vulnerabilities in third-party and open-source components pose significant risks to numerous systems, as evidenced by recent incidents like the XZ backdoor. Software Bill of Materials (SBOM) serves as a vital tool for identifying and isolating such vulnerabilities, and in some cases, it is a legally-mandated requirement to enhance supply-chain security within the digital ecosystem (e.g., Executive Order 14028). Despite its significant benefits, there are limitations in generating, using, and interpreting SBOMs effectively. In this paper, we aim to take an objective look on the state-of-the-art cybersecurity tools, particularly examining their contributions to or challenges from the practical SBOM perspective. The insights we present help improve existing tools and their usage in DevSecOps and compliance scenarios to maximize the effectiveness of SBOM standardization and requirements.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic

$34.99 /Month

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Buy Now

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 49.99; Price excludes VAT (USA)

Softcover Book: USD 64.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Arora, A., Wright, V.L., Garman, C.: SoK: a framework for and analysis of software bill of materials tools. Tech. rep, Idaho National Laboratory (INL) (2022)
Book Google Scholar
Bendix, L., Göransson, A.: A Comprehensive View of Software Bill of Materials (2023)
Google Scholar
Biden, J.R.: Executive Order on Improving the Nation’s Cybersecurity . https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ (2021)
Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., Waltermire, D.: RFC 9393 Concise Software Identification Tags (2023)
Google Scholar
Camp, L.J., Andalibi, V.: SboM vulnerability assessment & corresponding requirements. NTIA Res. Not. Req. Comments Softw. Bill Mater. Elem. Consid. (2021)
Google Scholar
Chaora, A., Ensmenger, N.L., Camp, L.J.: Discourse, challenges, and prospects around the adoption and dissemination of software bills of materials (SBOMs). In: IEEE International Symposium on Technology and Society, ISTAS 2023, Swansea, United Kingdom, September 13-15, 2023, pp. 1–4. IEEE (2023). https://doi.org/10.1109/ISTAS57930.2023.10305922, https://doi.org/10.1109/ISTAS57930.2023.10305922
CISA: Types of Software Bill of Material (SBOM) Documents. https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf (2023)
Ghanem, W.A.H., Belaton, B.: Improving accuracy of applications fingerprinting on local networks using NMAP-AMAP-ETTERCAP as a hybrid framework. In: 2013 IEEE International Conference on Control System, Computing and Engineering, pp. 403–407. IEEE (2013)
Google Scholar
Hyeon, D.E., Park, J.H., Youm, H.Y.: A secure firmware and software update model based on blockchains for internet of things devices using SBOM. In: 18th Asia Joint Conference on Information Security, AsiaJCIS 2023, Koganei, Japan, August 15-16, 2023, pp. 53–58. IEEE (2023). https://doi.org/10.1109/ASIAJCIS60284.2023.00019
Mohan, V., Othmane, L.B.: SecDevOps: is it a marketing buzzword?-mapping research on security in DevOps. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547. IEEE (2016)
Google Scholar
Muirí, É.Ó.: Framing software component transparency: establishing a common software bill of material (SBOM). NTIA, Nov 12 (2019)
Google Scholar
NTIA: Software Suppliers Playbook: SBOM Production and Provision. https://www.ntia.gov/sites/default/files/publications/software_suppliers_sbom_production_and_provision_-_final_0.pdf (2021)
NTIA: Survey of Existing SBOM Formats and Standards. https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf (2021)
NTIA: The Minimum Elements For a Software Bill of Materials. https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf (2021)
OWASP: Authoritative Guide to SBOM- Implement and Optimize use of Software Bill of Materials. https://cyclonedx.org/guides/sbom/generation/ (2024)
Sehgal, V.V., Ambili, P.: A taxonomy and survey of software bill of materials (SBOM) generation approaches. In: Analytics Global Conference, pp. 40–51. Springer (2023)
Google Scholar
Shiff, L.: SecOps vs DevSecOps: What’s The Difference? https://www.bmc.com/blogs/secops-vs-devsecops/ (2020)
Synopsys: Which of CISA’s Six Types of SBOMs Are Right for You? https://www.synopsys.com/software-integrity/resources/ebooks/cisa-sboms-guide.html+ (2024)
Wu, W., Wang, P., Zhao, L., Jiang, W.: An intelligent security detection and response scheme based on SBOM for securing IoT terminal devices. In: 11th International Conference on Information, Communication and Networks (ICICN), pp. 391–398. IEEE (2023)
Google Scholar
Xia, B., Bi, T., Xing, Z., Lu, Q., Zhu, L.: An empirical study on software bill of materials: where we stand and the road ahead. In: 45th IEEE/ACM International Conference on Software Engineering, ICSE 2023, Melbourne, Australia, May 14-20, 2023, pp. 2630–2642. IEEE (2023). https://doi.org/10.1109/ICSE48619.2023.00219, https://doi.org/10.1109/ICSE48619.2023.00219

Download references

Acknowledgments

Narges Yousefnezhad acknowledges the support of the Jenny and Antti Wihuri Foundation through the PoDoCo program (www.podoco.fi), grant number 141222. (Part of) This work was supported by the European Commission under the Horizon Europe Programme, as part of the project LAZARUS (https://lazarus-he.eu/) (Grant Agreement no. 101070303). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors. (Part of this work was) Funded by the European Union (Grant Agreement Nr. 101120962, RESCALE Project). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the Health and Digital Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.

Author information

Authors and Affiliations

Binare Oy, Jyväskylä, Finland
Narges Yousefnezhad
University of Jyväskylä, Jyväskylä, Finland
Andrei Costin

Authors

Narges Yousefnezhad
View author publications
You can also search for this author in PubMed Google Scholar
Andrei Costin
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Narges Yousefnezhad .

Editor information

Editors and Affiliations

Bulgarian Academy of Sciences, University of Library Studies and Information Technologies, Sofia, Bulgaria
Boris Shishkov

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yousefnezhad, N., Costin, A. (2024). Understanding SBOMs in Real-World Systems – A Practical DevOps/SecOps Perspective. In: Shishkov, B. (eds) Business Modeling and Software Design. BMSD 2024. Lecture Notes in Business Information Processing, vol 523. Springer, Cham. https://doi.org/10.1007/978-3-031-64073-5_20

Download citation

DOI: https://doi.org/10.1007/978-3-031-64073-5_20
Published: 30 June 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-64072-8
Online ISBN: 978-3-031-64073-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics