Application Security , Endpoint Security , Next-Generation Technologies & Secure Development

Supply Chain: The Role of Software Bills of Materials

Patrick Dwyer of OWASP Says SBOMs Reduce Attack Surfaces
Patrick Dwyer, OWASP

Software is like a Russian nesting doll: An application is usually composed of a variety of open-source and third-party code libraries wrapped together in complex ways.

See Also: OnDemand: 2024 Google Cloud Partner of the Year - Application and Infrastructure Security

Organizations often have no idea what's inside, which poses a threat if a vulnerability is found. But there's growing momentum around the use of software bills of materials, or SBOMs. These list all third-party code and dependencies within an application or device.

SBOMs are used in combination with platforms such as Dependency-Track, which allow for automated supply chain risk analysis, says Patrick Dwyer, an Australian software developer who works with OWASP on CycloneDX, which is one of three specifications for describing software components for SBOMs.

Automated supply chain analysis allows security teams to quickly make risk assessments about new vulnerabilities even if they're unsure exactly how they might be affected. "There's a whole lot of immediate action organizations can take to reduce that risk," Dwyer says.

A sweeping cybersecurity order signed earlier this month by President Joe Biden will require vendors to supply U.S. federal government agencies with SBOMs for purchased software. The requirement is one of several designed to increase supply chain security in the U.S. (see: Executive Order Focuses on Supply Chain Risk Management).

In this video interview with ISMG, Dwyer discusses:

  • How SBOMs help organizations quickly discover and mitigate software vulnerabilities;
  • How organizations can start with SBOMs on procurement projects;
  • How SBOMs integrate with other platforms to support continuous analysis of software.

Dwyer is a member of the CycloneDX SBOM Specification Core Team and of OWASP, the Open Web Application Security Project. He is also software developer lead for a government council in Queensland, Australia.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.