Software supply chain security is top of mind for IT leaders in 2023. A primary approach organizations of all sizes need to embrace is the use of Software Bill of Materials (SBOM).

A SBOM is much like a label of ingredients on a food package, listing all of the constituent components and where they came from for a particular software application. To help advance the overall state of SBOMs, IBM yesterday contributed a pair of open source projects to the OWASP Foundation (Open Worldwide Application Security Project) and its CycloneDX SBOM standard. The projects that IBM is contributing include the SBOM Utility, which helps organizations validate and manage SBOM data, and the Licence Scanner that identifies license and legal terms in software.

"These tools were designed with IBM’s near-term requirements for SBOMs in mind, with respect to license information and data maturity so that we could evaluate open source, product and partner code," Jamie Thomas, General Manager, Systems Strategy and Development at IBM, told SDxCentral.

IBM said it decided to contribute the projects to OWASP to enable more collaboration.

"While both projects originated within IBM, we recognized the benefit of placing them under open governance in the OWASP foundation so that a broader set of developers can collaborate and improve their capabilities over time," Thomas said.

Looking at the two projects that IBM is contributing, Thomas said that the License Scanner represents many years of experience within IBM of assessing and clearing open source software.

"It’s based upon what we found in terms of license variants and aliases, legal language and claims that could produce mature output, ready-made for inclusion in a Bill of Materials," Thomas said.

Regarding the SBOM utility, Thomas said that IBM found no existing tools that could validate an SBOM against basic IBM standards. She noted that IBM is not alone in its search for open solutions and as such wanted to create a tool in a way that it could be shared and configured by any organization.

"We also hope this can help drive the creation of SBOM variants and use-cases in domains such as Operations, Machine Learning and Quantum Cryptography -- technologies that IBM is invested in and seeks to develop in open communities with security in mind," she said.

The SBOM Utility and License Scanner are already incorporated in IBM products, such as Code Risk Analyzer and CI/CD internal pipelines used by various product teams. Thomas said that they specifically are integrated into customized versions of security and compliance pipelines offered as part of the IBM Cloud Continuous Delivery Service which in turn are made available as part of virtual cloud offerings for IBM customers.

According to Thomas, the most significant challenge of SBOMs is using them as intended.

She said that they should initially be used to evaluate the security of an organization's own software supply chain, prior to broadly distributing them to others.

"SBOMs are also meant to be used continuously as part of connected product development and delivery systems," Thomas said. "Today, many organizations treat SBOMs as static artifacts that are created and set aside."

Thomas emphasized that SBOMs are designed to be a living record supported by automated tooling that can provide real-time assessments of compliance against policies with historical analysis. Overall, she said, SBOM awareness and education is lacking and some organizations look at SBOMs as simple manifests and don’t believe they cover their security compliance needs, which is not really the case.

"SBOMs are designed to be a trusted, central point for organizing information about how anything is made with security and compliance in mind," Thomas said. "Using SBOMs in this manner provides a way to begin role-based security and compliance assessments, helping increase consumer confidence in software, hardware and data."