What the Heck Is an SBOM, and Why Should We Care?

With every groundbreaking piece of technology that promises to improve the way we live our lives, cybercriminals are lurking around every corner, scheming and conspiring to exploit it for their own nefarious purposes. This may sound like the plot of a science fiction novel, but our reality is quickly catching up to what was once considered a world filled with fanciful ideas. As Isaac Asimov so famously opined, “Today’s science fiction is tomorrow’s science fact.” Here’s another ominous-sounding piece of technobabble. The S-Bomb! Actually, it’s SBOM, an acronym for Software Bill of Materials (I couldn’t resist). So, what the heck is that?


The National Telecommunications and Information Administration (NTIA) sums it up thusly; “A Software Bill of Materials (SBOM) is a complete, formally structured list of components, libraries, and modules that are required to build a given piece of software and the supply chain relationships between them.” In simpler terms, an SBOM is a list of ingredients that make up software components in a supply chain. Rather than eggs, flour, butter, and sugar (that’s a cookie recipe), an SBOM includes software licensing and version information, data fields, and source codes.


Now, why should anyone care? As long as the software works, who cares what’s in it? Remember those villainous cybercriminals? They care. A lot! That’s their bread and butter. Whether they’re trying to make a buck or take over the world, those component-level ingredients are a treasure trove of potential vulnerabilities that can be exploited, such as the security flaws found in open-source and outdated software. By 2027, the global cost of cybercrime is estimated to be approximately $24 trillion! And let’s not underestimate the threats to national security and our lives!


The FBI has issued a warning regarding the software vulnerabilities of medical devices in the wake of several CISA alerts. It’s hard to fathom, but unscrupulous cyberterrorists can take advantage of Bluetooth, Wi-Fi, and other remote technology to infiltrate medical devices, such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps, endangering the health and very lives of patients by altering a monitor’s reading or administering a drug overdose. Hackers exploit unsecured devices, interfere with medical facility operations, and compromise patient data confidentiality and integrity.


And then there’s killware! And it’s as terrifying as it sounds. Killware is a malware attack with the bone-chilling purpose of causing physical harm or even death if a ransom isn’t paid. It seeks to cause devastating damage by disrupting the critical infrastructure that supports and maintains our everyday lives. In one such attack, hackers gained access to a water system in Florida using its device controls. They increased the amount of sodium hydroxide — the main ingredient in liquid drain cleaner — to hazardous levels, 100 times higher than normal, which could cause burns, vomiting, severe pain, and bleeding. Fortunately, the attack was discovered in time.


SBOMs are a crucial tool for tracking acute weaknesses in cybersecurity, such as outdated and open-source software along the supply chain. They enable organizations to identify whether any components that make up a software application may have a vulnerability that can create a security risk. In 2022, there were 236 million ransomware attacks worldwide. Cybercriminals use ransomware, a malicious breed of software that can cripple an organization by holding its IT infrastructure hostage for a substantial payout.


To combat the onslaught of cybersecurity threats, the White House issued Executive Order 14028, “Improving the Nation’s Cybersecurity,” in May 2021. The EO defines the security measures that must be followed by any software publisher or developer that does business with the Federal Government, requiring them to provide an SBOM. On December 29, 2022, the bipartisan $1.7 trillion Omnibus Appropriations Act was signed into law. It includes adding section 524B, Ensuring Cybersecurity of Devices, providing the FDA with authority to require medical device manufacturers to take additional cybersecurity protection measures by including an SBOM with each device brought to market through future pre-market submissions.


The creation of SBOMs is powerless on its own. There needs to be structure, automation, and heads-up reporting using a proactive management approach. Supply chain risk management software must analyze the underlying risk of installed applications and continuously identify vulnerabilities and lifecycle issues to ensure that both hardware and installed software remain supported and able to receive patches and updates. Mitigating cybersecurity risks using SBOMs needs to be comprehensive by inspecting individual components within applications, such as open source and obsolete codes.


Supply chain risk management using SBOM analysis is absolutely essential in our increasingly vulnerable cyber world. Did I mention killware? We are at the mercy of the organized crime syndicate of cybercriminals, and we need to fortify our defenses to thwart cyberthreats before they become cyberattacks.



William Choppa

William Choppa is the CEO of Eracent and a member of the Board of Directors. William is leading the organization, recruiting, and developing strong leaders in various functional roles, and communicating Eracent’s vision to co-workers, current and future customers, and the larger Cybersecurity and ITAM communities. Since joining the company in 2004, he has been passionate about the evolution and refinement of Eracent’s solutions, based on lessons learned from working with customers and partners.

Prior to joining Eracent, William was President of MCSI, a management consulting practice offering deployment, and customization services. He has held positions with IBM and several technology companies, as well as the National Aeronautics and Space Administration. William holds a BS in Aerospace Engineering from Embry Riddle Aeronautical University.

We welcome for consideration all submissions that adhere to three rules: nothing defamatory, no snark, and no talking points. It’s perfectly acceptable if your view leans Left or Right, just not predictably so. Come write for us.

Share With Your Connections
Share With Your Connections
More Exclusive Content
The Latest News from Smerconish.com in Your Inbox
This field is for validation purposes and should be left unchanged.

We will NEVER SELL YOUR DATA. By submitting this form, you are consenting to receive marketing emails from: Smerconish.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Aweber

Write for Smerconish.com