What Does Software Bill of Materials Mean?
Software Bill of Materials (SBOM) is a document that provides details about the components used to build a software application. SBOMs are useful for identifying which software applications are most at risk when a third-party vulnerability is discovered.
SBOMs are created and maintained by software vendors and individual program authors. Ideally, a new SBOM should be created each time a new software verion is released to the general public. The documentation an SBOM provides can help stakeholders:
- Gain better visibility into software assets.
- Conduct due diligence to assess risk.
- Identify and monitor potential regulatory compliance conflicts.
- Prioritize remediation options.
Techopedia Explains Software Bill of Materials
The benefits of SBOMs apply to both software suppliers and software consumers. The creation of shareable SBOMs is expected to play an increasingly important role in software lifecycle management, supply chain management and software asset management.
SBOM formats
Currently, there are three formats commonly used to create and share SBOMs: SWID Tagging, SPDX and Cyclone DX.
SWID tagging — Software Identification (SWID) tags contain information about a specific software product release. The Trusted Computing Group (TCG) and the Internet Engineering Task Force (IETF) both support SWID Tags in their standards.
SPDX — Software Package Data Exchange® is an open standard for communicating software bill of material information. The SPDX specification is also known as ISO/IEC 5962:2021.
Cyclone DX — CycloneDX is a lightweight SBOM standard designed for use in application security contexts. Cyclone DX is managed by the CycloneDX Core working group with assistance from members of the Open Web Application Security Project® (OWASP) community.