As with most new processes, there are challenges. One challenge with SBOMs is the number of variables in software applications. Another is that an SBOM should both identify components and use a standard nomenclature for each identification. Communities and ecosystems will need to work collectively on the standards, processes, education, and tooling to mitigate risks to global supply chains.
Fortunately, we already have some SBOM standards and tools to implement stronger software security practices throughout supply chains. Standard SBOM formats such as Software Package Data Exchange (SPDX) and CycloneDX help companies more easily exchange the information, thus building trust and transparency in how software is created, distributed, and consumed throughout supply chains.
Last year SPDX became one of the standard formats for SBOMs as noted in ISO/IEC JTC1 5962:2021, which is an international open standard for security. SPDX already plays an important role in software security and integrity across some of the world’s largest commercial supply chains. Companies like Hitachi, Samsung, Microsoft, Intel, Cisco, Siemens, Google, and many more have already been producing and consuming SPDX SBOMs for years.
And yet, the SBOM market is still immature. Standards help companies exchange the information, but how to use and track that data remains a challenge. And the completeness and accuracy of SBOMs must also be addressed. The SBOM for the chocolate chips better include the cocoa butter or someone is going to be in trouble.