Why SBOM analysis is a prudent augmentation of your security strategy
Software Bill of Materials (#sboms ) provide producers and consumers of software with transparent information on components, and their interdependencies, within a software package. SBOMs have emerged as being essential to managing security risk and licensing within today’s applications.
Managing software security and licensing without SBOMs was hardly possible. Think of the pain that many organizations suffered when the Log4J vulnerability was discovered. Without SBOMs, and few had them, remediation was a manual process of discovery and fixing.
The need for SBOMs has become more pronounced than ever due to the specter of the acceleration of code available, and code that includes more open source packages than necessary. Generative AI is bringing benefits to many areas of work, tools such as Github Copilot and AWS Code Whisperer dramatically increase the speed of development. A symptom of this is much more code being checked in and integrated, and the bulk of it is machine generated. Upwards of 75% of code in common languages is machine generated when using these tools.
In this environment, without SBOMs in place and being continuously analyzed for your software, the next Log4J will be 10X more painful than the initial. We believe now is the time to implement SBOMs and understand the dependencies in software that you use and software that you build.