A Tool to Manage Cyber Risk: SBOMs and Security Through Transparency

Rogue regimes and adversarial nations are persistently on the prowl to discover exploitable vulnerabilities in cyberspace. In December 2021, the most serious software vulnerability in decades was discovered by a security researcher. “Log4j” was a seemingly obscure piece of code, but given how frequently the software code is reused, its vulnerability immediately compromised millions of devices around the world. The worst part of all: Organizations, companies, and individuals did not know if they were at risk, because they were unaware of the component parts of their software. Millions of consumers — including Fortune 500 companies and the U.S. government — do not patch vulnerabilities, because they are unaware of them.

The good news: There is a solution that would help provide transparency and mitigate risk. A Software Bill of Materials, or SBOM, details the various components in a given piece of software, similar to an ingredient list for food. If manufacturers provided and continuously updated SBOMs, consumers could recognize if they are impacted by known vulnerabilities or have other indicators of risk, allowing them to quickly take needed action.

FDD’s Transformative Cyber Innovation Lab, in collaboration with ION Channel, Virgil Systems, and Cybeats, is demonstrating how the creation, analysis, and consumption of SBOMs would help mitigate risks to U.S. security and prosperity by enhancing the transparency of the software supply chain.