BoMs Away – Why Everyone Should Have a BoM

A software bill-of-materials (BOM) is the software equivalent of a nutrition label on food: it tells you what’s inside, so you can make an informed decision. This is a relatively new area of focus in the security and tech industry in general, but it is quite important, as it helps facilitate accurate vulnerability and other supply-chain risk analysis.

Steve is the creator of OWASP Dependency-Track, an open source supply chain component analysis platform, a contributor to OWASP Dependency-Check, and is involved in a number of other software transparency-related projects and working groups, so he knows the space quite well.

There a number of factors contributing to the increased emphasis on BOMs, including:

• Compliance

• Regulation – The FDA is going to start requiring medical devices to have a cybersecurity BOM, including info on used commercial and open source software as well as hardware.

• Economic / supply-chain management, market forces – Companies may want to use fewer and better suppliers, BOMs are sometimes required during procurement.

BOMs have a number of common use cases, including:

• License identification and compliance

• Outdated component analysis

• Vulnerability analysis (software and hardware)

• Documenting direct, transitive, runtime, and environmental dependencies

• File verification (via hash checking)

• Hierarchical (system, sub-system, etc) representation of component usag

• Tracking component pedigree (ancestors from which a component is derived from)

CycloneDX uses a Package URL to uniquely identify a version of a dependency and its place within an ecosystem. It looks like this:

The Package URL identifies all relevant compopnent metadata, including ecosystem (type), group (namespace), name, version, and key/value pair qualifiers.

One great aspect of this approach is that it’s ecosystem-agnostic: it can support dependencies on Maven, Docker, NPM, RPM, etc.