There’s a big movement afoot to move to an SBOM-oriented world. If you’re new to this acronym, an SBOM is a “Software Bill of Materials.” The idea is that any piece of software, or service, should come with the equivalent of an ingredients label, itemizing the component pieces of software included in the manufacture of the product. That way, any vulnerability in a component that you don’t fix becomes visible to your customers. It sounds simple, right? Just write down the software you used in assembling your system!
“Just” is the most dangerous word in cybersecurity. In any complex system, there is an impulse to use a much simpler model to describe the system. Sometimes, this can be helpful because it makes the system easier to think about. Unfortunately, solutions that apply in simple systems are not usually as easy to apply to—and certainly rarely as effective in—more complex systems.