All Research
Advisory Note
I like this
I don't like this

SBOM as a Core Element of Cyber Resilience

Martin Kuppinger
Alejandro Leal
This advisory note delves into the critical intersection of Software Bill of Materials (SBOM) and cyber resilience, exploring the role of SBOM in fortifying digital landscapes against evolving cyber threats. With a focus on recent incidents, regulatory developments, and the intricate web of software supply chains, the report highlights the emergence of SBOM as a fundamental tool for improving cyber resilience across industries.

1 Introduction / Executive Summary

Attacks via vulnerabilities in commonly used standard libraries such as Log4j have posed major security challenges in recent years. The Software Bill of Materials (SBOM) concept, which is already mandatory in the US and will also come with the EU CRA, is designed to provide the information so that companies know what components are in what software so that they can better respond to attacks and vulnerabilities.

In recent years, there have been targeted attacks on the software supply chain, affecting vendors like SolarWinds and Kaseya. Additionally, identified vulnerabilities in widely used open-source libraries, such as Heartbleed in OpenSSL in 2014 and Log4j in 2021, have impacted numerous systems. These incidents occurred both through the distribution of infected software and the exploitation of vulnerabilities affecting many systems. In May 2021, the USA introduced the obligation to provide an SBOM through the "Executive Order on Improving the Nation’s Cybersecurity." The EU is in the process of approving the draft CRA, which also includes provisions for SBOM. In Germany, the Federal Office for Information Security (BSI) published Technical Guideline TR-03183 Part 2 in August 2023, focusing on Cyber Resilience requirements and specifically SBOM. The first part, covering general requirements, is expected to be released by the end of 2023. This highlights the concrete need for action for all companies producing and distributing software as a standalone product or as part of products such as electronic devices or machinery. Simultaneously, the SBOM concept offers every company the opportunity to better understand and manage their attack surface, allowing for quicker and more effective responses to threats.

Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Register
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use