{"id":148554,"date":"2022-10-20T04:23:11","date_gmt":"2022-10-20T09:23:11","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2022\/10\/sboms-an-overhyped-concept-that-wont-secure-your-software-supply-chain"},"modified":"2022-10-20T04:23:11","modified_gmt":"2022-10-20T09:23:11","slug":"sboms-an-overhyped-concept-that-wont-secure-your-software-supply-chain","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2022\/10\/sboms-an-overhyped-concept-that-wont-secure-your-software-supply-chain","title":{"rendered":"SBOMs: An Overhyped Concept That Won\u2019t Secure Your Software Supply Chain"},"content":{"rendered":"

<\/a><\/p>\n

With Executive Order 14028<\/a>, a large regulatory push toward mandating the production of a software bill of materials (SBOM) began. As this new buzzword spreads, you\u2019d think it was a miracle cure for securing the software supply chain<\/a>. Conceptually, it makes sense \u2014 knowing what is in a product is a reasonable expectation. However, it is important to understand what exactly an SBOM is and whether or not it can objectively be useful as a security tool.<\/p>\n

SBOMs<\/a> are meant to be something like a nutrition label on the back of a grocery store item listing all of the ingredients that went into making the product. While there currently is no official SBOM standard, a few guideline formats have emerged as top candidates. By far, the most popular is the Software Data Package Exchange (SPDX<\/a>), sponsored by the Linux Foundation.<\/p>\n

SPDX, as with most other formats, attempts to provide a common way to represent basic information about the ingredients that go into the production of software: names, versions, hashes, ecosystems, ancillary data like known flaws and license information, and relevant external assets. However, software is not as simple as a box of cereal, and there is no equivalent to the Food and Drug Administration enforcing compliance to any recommended guidelines.<\/p>\n","protected":false},"excerpt":{"rendered":"

With Executive Order 14028, a large regulatory push toward mandating the production of a software bill of materials (SBOM) began. As this new buzzword spreads, you\u2019d think it was a miracle cure for securing the software supply chain. Conceptually, it makes sense \u2014 knowing what is in a product is a reasonable expectation. However, it [\u2026]<\/p>\n","protected":false},"author":662,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,1523,1492],"tags":[],"class_list":["post-148554","post","type-post","status-publish","format-standard","hentry","category-biotech-medical","category-computing","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/148554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/662"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=148554"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/148554\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=148554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=148554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=148554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}