Security News > 2022 > January > Will 2022 Be the Year of the Software Bill of Materials?

"We're awash in supply chain attacks, whether they're caused by active and purposeful hacking into software providers to poison code on purpose, or by an inattentive and casual attitude to sucking software components into our own products and services without even being aware," Ducklin said.

"For years, we've batted around the idea that computer software and cloud services ought to have a credible Bill of Materials that would make it easy to figure out which newsworthy bugs might apply to each and every product we use," he continued.

Will 2022 be the year that finally ushers in the much-longed-for software bills of materials, the machine-readable documents that provide a definitive record of the components used to build a software product, including open-source software?

As for why SBOMs are so difficult to build and maintain, Eric Byres, CEO at aDolus, noted that it's straightforward to generate the SBOM when a software package is built, but what about software that's already been shipped and installed? That category accounts for some 95 percent of the software used in critical systems today, Byres estimated.

"Add in software that's added via mergers and acquisitions and the bottom line is many suppliers lose track of the 3rd-party vulnerabilities in their software soon after it is compiled and released," he said.

According to the EO, SBOMs will help everybody in the software supply chain, including those parties who make, buy and operate software.

News URL

https://threatpost.com/2022-software-bill-of-materials/177736/