gears (adike/

Why security demands a software bill of materials

If you’ve ever perused the ingredient labels on the groceries you’re buying, you surely can relate to Allan Friedman, who is trying to do for corporate security software what those labels do for food.


Assembling an ingredients list for software

The Commerce Department's software bill of materials initiative could give IT managers a better sense of what is in their enterprise software. Read more.

As the director of cybersecurity at the Commerce Department's National Telecommunications and Information Administration, Friedman coordinates multiple stakeholders to develop policies on cybersecurity, and specifically vulnerabilities in the internet of things.

In a presentation last month at Black Hat USA,  Friedman, who spent more than 15 years as a technology policy scholar, described how government is looking to make security software less opaque by serving up a list of ingredients that go into each application and product used. NTIA's Software Transparency Standards and Formats Working Group is investigating how existing standards and initiatives can apply to identifying the external components and shared libraries used in the construction of software products.

“It’s insane that we have vulnerabilities everywhere,” Friedman said in his \presentation, dubbed “Transparency in the Software Supply Chain: Making SBOM a Reality.” “The idea of the ‘bill of materials’ is 80 years old.” Software components often hail from a wide variety of sources, so it can be difficult for enterprise users both in the public and private sectors to properly understand the implicit security risks in their systems.

Despite the simplicity of this concept, the software bill of materials has been met with both apathy and hostility, especially in policy circles, Friedman said. But, despite SBOM’s controversial nature, Friedman said it could potentially revolutionize the information security industry, especially as enterprise software enters the IoT phase of development, where virtually all electronic equipment is IP-connected and therefore accessible to access or attack.

“Licensing is incredibly fraught,” he said. “It’s hard. How do we put this all within a single pane of glass?”

According to Friedman, the goal of the SBOM initiative is “for software and IoT vendors to share details on the underlying components, libraries and dependencies with enterprise customers.” This transparency can serve as a catalyst to a more efficient market for security by allowing vendors to signal quality and giving enterprise customers key knowledge.

More specifically, SBOM success would feature machine-readable formats that link to the software publisher and components. A lightweight solution that captures the basics of dependencies would integrated into software development and updating processes, according to an  NTIA presentation.  

“Even though a lot of us have come to the table with ideas,” Friedman says. “Talking about the components of software is hard.” Companies have to start with the basics to make a “risk decision.”

About the Author

Karen Epper Hoffman is a freelance writer based in the Seattle area.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected