Software Bill of Materials

What Does Software Bill of Materials Mean?

Software Bill of Materials (SBOM) is a document that provides details about the components used to build a software application. SBOMs are useful for identifying which software applications are most at risk when a third-party vulnerability is discovered.

Advertisements

SBOMs are created and maintained by software vendors and individual program authors. Ideally, a new SBOM should be created each time a new software verion is released to the general public. The documentation an SBOM provides can help stakeholders:

  • Gain better visibility into software assets.
  • Conduct due diligence to assess risk.
  • Identify and monitor potential regulatory compliance conflicts.
  • Prioritize remediation options.

Techopedia Explains Software Bill of Materials

The benefits of SBOMs apply to both software suppliers and software consumers. The creation of shareable SBOMs is expected to play an increasingly important role in software lifecycle management, supply chain management and software asset management.

SBOM formats

Currently, there are three formats commonly used to create and share SBOMs: SWID Tagging, SPDX and Cyclone DX.

SWID tagging — Software Identification (SWID) tags contain information about a specific software product release. The Trusted Computing Group (TCG) and the Internet Engineering Task Force (IETF) both support SWID Tags in their standards.

SPDX — Software Package Data Exchange® is an open standard for communicating software bill of material information. The SPDX specification is also known as ISO/IEC 5962:2021.

Cyclone DX — CycloneDX is a lightweight SBOM standard designed for use in application security contexts. Cyclone DX is managed by the CycloneDX Core working group with assistance from members of the Open Web Application Security Project® (OWASP) community.

Advertisements
Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.