Abstract
Vulnerabilities in third-party and open-source components pose significant risks to numerous systems, as evidenced by recent incidents like the XZ backdoor. Software Bill of Materials (SBOM) serves as a vital tool for identifying and isolating such vulnerabilities, and in some cases, it is a legally-mandated requirement to enhance supply-chain security within the digital ecosystem (e.g., Executive Order 14028). Despite its significant benefits, there are limitations in generating, using, and interpreting SBOMs effectively. In this paper, we aim to take an objective look on the state-of-the-art cybersecurity tools, particularly examining their contributions to or challenges from the practical SBOM perspective. The insights we present help improve existing tools and their usage in DevSecOps and compliance scenarios to maximize the effectiveness of SBOM standardization and requirements.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Arora, A., Wright, V.L., Garman, C.: SoK: a framework for and analysis of software bill of materials tools. Tech. rep, Idaho National Laboratory (INL) (2022)
Bendix, L., Göransson, A.: A Comprehensive View of Software Bill of Materials (2023)
Biden, J.R.: Executive Order on Improving the Nation’s Cybersecurity . https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ (2021)
Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., Waltermire, D.: RFC 9393 Concise Software Identification Tags (2023)
Camp, L.J., Andalibi, V.: SboM vulnerability assessment & corresponding requirements. NTIA Res. Not. Req. Comments Softw. Bill Mater. Elem. Consid. (2021)
Chaora, A., Ensmenger, N.L., Camp, L.J.: Discourse, challenges, and prospects around the adoption and dissemination of software bills of materials (SBOMs). In: IEEE International Symposium on Technology and Society, ISTAS 2023, Swansea, United Kingdom, September 13-15, 2023, pp. 1–4. IEEE (2023). https://doi.org/10.1109/ISTAS57930.2023.10305922, https://doi.org/10.1109/ISTAS57930.2023.10305922
CISA: Types of Software Bill of Material (SBOM) Documents. https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf (2023)
Ghanem, W.A.H., Belaton, B.: Improving accuracy of applications fingerprinting on local networks using NMAP-AMAP-ETTERCAP as a hybrid framework. In: 2013 IEEE International Conference on Control System, Computing and Engineering, pp. 403–407. IEEE (2013)
Hyeon, D.E., Park, J.H., Youm, H.Y.: A secure firmware and software update model based on blockchains for internet of things devices using SBOM. In: 18th Asia Joint Conference on Information Security, AsiaJCIS 2023, Koganei, Japan, August 15-16, 2023, pp. 53–58. IEEE (2023). https://doi.org/10.1109/ASIAJCIS60284.2023.00019
Mohan, V., Othmane, L.B.: SecDevOps: is it a marketing buzzword?-mapping research on security in DevOps. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547. IEEE (2016)
Muirí, É.Ó.: Framing software component transparency: establishing a common software bill of material (SBOM). NTIA, Nov 12 (2019)
NTIA: Software Suppliers Playbook: SBOM Production and Provision. https://www.ntia.gov/sites/default/files/publications/software_suppliers_sbom_production_and_provision_-_final_0.pdf (2021)
NTIA: Survey of Existing SBOM Formats and Standards. https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf (2021)
NTIA: The Minimum Elements For a Software Bill of Materials. https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf (2021)
OWASP: Authoritative Guide to SBOM- Implement and Optimize use of Software Bill of Materials. https://cyclonedx.org/guides/sbom/generation/ (2024)
Sehgal, V.V., Ambili, P.: A taxonomy and survey of software bill of materials (SBOM) generation approaches. In: Analytics Global Conference, pp. 40–51. Springer (2023)
Shiff, L.: SecOps vs DevSecOps: What’s The Difference? https://www.bmc.com/blogs/secops-vs-devsecops/ (2020)
Synopsys: Which of CISA’s Six Types of SBOMs Are Right for You? https://www.synopsys.com/software-integrity/resources/ebooks/cisa-sboms-guide.html+ (2024)
Wu, W., Wang, P., Zhao, L., Jiang, W.: An intelligent security detection and response scheme based on SBOM for securing IoT terminal devices. In: 11th International Conference on Information, Communication and Networks (ICICN), pp. 391–398. IEEE (2023)
Xia, B., Bi, T., Xing, Z., Lu, Q., Zhu, L.: An empirical study on software bill of materials: where we stand and the road ahead. In: 45th IEEE/ACM International Conference on Software Engineering, ICSE 2023, Melbourne, Australia, May 14-20, 2023, pp. 2630–2642. IEEE (2023). https://doi.org/10.1109/ICSE48619.2023.00219, https://doi.org/10.1109/ICSE48619.2023.00219
Acknowledgments
Narges Yousefnezhad acknowledges the support of the Jenny and Antti Wihuri Foundation through the PoDoCo program (www.podoco.fi), grant number 141222. (Part of) This work was supported by the European Commission under the Horizon Europe Programme, as part of the project LAZARUS (https://lazarus-he.eu/) (Grant Agreement no. 101070303). The content of this article does not reflect the official opinion of the European Union. Responsibility for the information and views expressed therein lies entirely with the authors. (Part of this work was) Funded by the European Union (Grant Agreement Nr. 101120962, RESCALE Project). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the Health and Digital Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Yousefnezhad, N., Costin, A. (2024). Understanding SBOMs in Real-World Systems – A Practical DevOps/SecOps Perspective. In: Shishkov, B. (eds) Business Modeling and Software Design. BMSD 2024. Lecture Notes in Business Information Processing, vol 523. Springer, Cham. https://doi.org/10.1007/978-3-031-64073-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-64073-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-64072-8
Online ISBN: 978-3-031-64073-5
eBook Packages: Computer ScienceComputer Science (R0)