Software Bill of Materials (SBOM) work at NTIA
Modern software systems contain many components, which themselves contain components, which themselves contain components. Which raises some important questions, for example, when a vulnerability is publicly identified, how do you know if your system is affected? Another issue involves licensing - how can you be confident that you are meeting all your legal obligations? This is getting harder to do as systems get bigger, and also because software development is a global activity.
On July 19, 2018, the US National Telecommunications and Information Administration (NTIA) “convened a meeting of stakeholders from across multiple sectors to begin a discussion about software transparency and the proposal being considered for a common structure for describing the software components in a product containing software.” [Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM)]
A key part of this is to make it much easier to define and exchange a “Software Bill of Materials” (SBOM). You can see a lot of their information at the Community-Drafted Documents on Software Bill of Materials. If you’re interested in this topic, that’s a decent place to start.
path: /security | Current Weblog | permanent link to this entry