gears (adike/

Why security demands a software bill of materials

If you’ve ever perused the ingredient labels on the groceries you’re buying, you surely can relate to Allan Friedman, who is trying to do for corporate security software what those labels do for food.


Assembling an ingredients list for software

The Commerce Department's software bill of materials initiative could give IT managers a better sense of what is in their enterprise software. Read more.

As the director of cybersecurity at the Commerce Department's National Telecommunications and Information Administration, Friedman coordinates multiple stakeholders to develop policies on cybersecurity, and specifically vulnerabilities in the internet of things.

In a presentation last month at Black Hat USA,  Friedman, who spent more than 15 years as a technology policy scholar, described how government is looking to make security software less opaque by serving up a list of ingredients that go into each application and product used. NTIA's Software Transparency Standards and Formats Working Group is investigating how existing standards and initiatives can apply to identifying the external components and shared libraries used in the construction of software products.

“It’s insane that we have vulnerabilities everywhere,” Friedman said in his \presentation, dubbed “Transparency in the Software Supply Chain: Making SBOM a Reality.” “The idea of the ‘bill of materials’ is 80 years old.” Software components often hail from a wide variety of sources, so it can be difficult for enterprise users both in the public and private sectors to properly understand the implicit security risks in their systems.

Despite the simplicity of this concept, the software bill of materials has been met with both apathy and hostility, especially in policy circles, Friedman said. But, despite SBOM’s controversial nature, Friedman said it could potentially revolutionize the information security industry, especially as enterprise software enters the IoT phase of development, where virtually all electronic equipment is IP-connected and therefore accessible to access or attack.

“Licensing is incredibly fraught,” he said. “It’s hard. How do we put this all within a single pane of glass?”

According to Friedman, the goal of the SBOM initiative is “for software and IoT vendors to share details on the underlying components, libraries and dependencies with enterprise customers.” This transparency can serve as a catalyst to a more efficient market for security by allowing vendors to signal quality and giving enterprise customers key knowledge.

More specifically, SBOM success would feature machine-readable formats that link to the software publisher and components. A lightweight solution that captures the basics of dependencies would integrated into software development and updating processes, according to an  NTIA presentation.  

“Even though a lot of us have come to the table with ideas,” Friedman says. “Talking about the components of software is hard.” Companies have to start with the basics to make a “risk decision.”

About the Author

Karen Epper Hoffman is a freelance writer based in the Seattle area.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected