Software Bill of Materials: Knowing What Is in Your Software Supply Chain

Why SBOMs Matter

A Software Bill of Materials (SBOM) is an inventory of every component in a software product, including open-source libraries, third-party modules, and their versions. When a vulnerability like Log4Shell is discovered, organizations with SBOMs can immediately determine whether they are affected. Without an SBOM, teams spend days or weeks manually investigating whether a vulnerable component exists somewhere in their environment.

Creating an SBOM

Automated tools can generate SBOMs from build systems, package managers, and container images. Common formats include SPDX and CycloneDX. Integrate SBOM generation into your CI/CD pipeline so that every build automatically produces an updated inventory. Track not just direct dependencies but transitive ones - a vulnerable library four levels deep in the dependency tree is just as dangerous as a direct dependency.

Using SBOMs for Security

Cross-reference your SBOM against vulnerability databases like NVD and OSV to identify known vulnerabilities in your components. Automate this process so that new vulnerability disclosures trigger immediate checks against your inventory. Establish policies for vulnerability remediation timelines based on severity. Monitor for components that have reached end-of-life and no longer receive security updates.

SBOMs and True Protection

True Protection generates SBOMs for installed applications and continuously monitors them against our threat intelligence feed. When a new vulnerability is discovered in a widely-used library, True Protection can immediately identify every endpoint in your organization running software that includes the affected component, enabling rapid prioritized patching.