Security News > 2023 > March > We can’t wait for SBOMs to be demanded by regulation

We can’t wait for SBOMs to be demanded by regulation
2023-03-14 05:30

We need SBOMs. The good news is that regulations demanding SBOMs are in the works in the US and elsewhere.

The US government has demanded that federal agencies adopt SBOMs in a standard format, but whether this is necessary is based on the "Criticality of the software".

Our advice is not to wait for regulation and to enact policies that act as if strict demands on SBOMs already exist.

Generating SBOMs should be done via build-time methods, typically using a CI/CD pipeline, meaning the SBOM will always be up to date.

There is a risk that demanding vendors to turn over their SBOMs means exposing their secret sauce-the programs they use to build their solutions, a potential issue for competition.

Neither developers nor security teams can wait-they need to implement and demand SBOMs now, normalizing them ahead of the next big hack.


News URL

https://www.helpnetsecurity.com/2023/03/14/sboms-regulation/