Understanding SBOMs in Real-World Systems – A Practical DevOps/SecOps Perspective

Understanding SBOMs in Real-World Systems – A Practical DevOps/SecOps Perspective

연구 분야: Analysis

학회: International Symposium on Business Modeling and Software Design

Vulnerabilities in third-party and open-source components pose significant risks to numerous systems, as evidenced by recent incidents like the XZ backdoor. Software Bill of Materials (SBOM) serves as a vital tool for identifying and isolating such vulnerabilities, and in some cases, it is a legally-mandated requirement to enhance supply-chain security within the digital ecosystem (e.g., Executive Order 14028). Despite its significant benefits, there are limitations in generating, using, and interpreting SBOMs effectively. In this paper, we aim to take an objective look on the state-of-the-art cybersecurity tools, particularly examining their contributions to or challenges from the practical SBOM perspective. The insights we present help improve existing tools and their usage in DevSecOps and compliance scenarios to maximize the effectiveness of SBOM standardization and requirements.