Download to read offline
More Related Content
Similar to Software Bill of Materials (SBOM): what you as a developer need to know by Kristaps Felzenbergs
Software Bill of Materials (SBOM): what you as a developer need to know by Kristaps Felzenbergs
- 1. “Software Bill ofMaterials (SBOM): what you as a developer need to know.” Software Bills of Materials (SBOMs) have become critical in modern development. Let's see what it is and why it is so important for your software supply chain protection. by Kristaps Felzenbergs
- 2.
- 3. ROUTEDin Cybersecurity services Cybersecuritygovernance elected by 1st of October 2025 NIS2 implementation and report Risk evaluation, security audit Data security improvements Employee training
- 4. What is anSBOM? Definition An SBOM is a formal, machine-readable inventory of software components and dependencies used in building an application. Think of it as a detailed "ingredients list" for your software. Key Components Component names and versions Licensing information Dependency relationships Component origins
- 5.
- 6. Why SBOMs Matter SecurityEnhancement Quickly identify affected components when new vulnerabilities emerge. Reduce response time from days to hours. Risk Visibility Gain complete visibility into your software supply chain. Prevent blind spots that could harbor security issues. Compliance Meet regulatory requirements like the EU Cyber Resilience Act. Avoid potential fines and market restrictions.
- 7. Dependency Tracking 1 Identify Catalog alldirect and transitive dependencies in your projects. Third-party libraries Frameworks Runtime components 2 Analyze Review dependency health and security status. Known vulnerabilities License compatibility 3 Monitor Set up continuous scanning for new security issues. Automated alerts Remediation plans
- 8. Compliance Requirements EU CyberResilience Act New legislation requiring manufacturers to: Document software components Maintain transparency about security practices Report vulnerabilities promptly Provide security updates for product lifecycle Some of the details of the CRA’s SBOM requirements are still being worked out through a standards drafting process with CEN/CENELEC (the European Committee for Electrotechnical Standardization) But, at this stage, we know that SBOMs will not need to be publicly shared nor include all dependencies.
- 9. SBOM Formats SPDX Linux Foundation'sstandard for communicating SBOM information. ISO/IEC 5962:2021 standard Focuses on license compliance Multiple file formats (JSON, YAML, RDF) CycloneDX OWASP Foundation's lightweight SBOM standard. Security-focused approach Supports vulnerability tracking Widely used in DevSecOps pipelines
- 10. Automation in CI/CDPipeline Code Commit Developer pushes changes to repository SBOM Generation Automated tools scan dependencies and create SBOM Dependency-Track by OWASP Syft by Anchore CycloneDX tools Trivy by Aquasecurity https://sbom.sh/ by Codenotary Security Validation SBOM analyzed for vulnerabilities and policy violations Distribution SBOM packaged with software delivery or made available separately
- 11. Your Next Steps 1Inventory Your Dependencies Start with one project. Map all components. Identify security and licensing issues. 2 Choose SBOM Tools Select tools that integrate with your existing workflow. Consider both format and automation needs. 3 Implement in CI/CD Automate SBOM creation and validation. Fail builds with critical vulnerabilities. 4 Establish Response Process Create clear procedures for when new vulnerabilities affect your components.
- 13.