What is an SBOM and Why is it Critical to Third-Party Risk Management?

Intro to SBOMs

A decade ago, the primary focus of TPRM was questionnaire management and distribution, usually done in a simple and manual way, relying on vendors to self-report on their security practices. Today the basic best practices of TPRM have grown to include continuous monitoring and other advanced AI-based capabilities like CVE alerting for third parties as elementary aspects of an effective program. 

As companies become more aware of the cyber risk that supply chain targets can pose and more investment is made into defending against these threats, diverse industries across the world are looking to broaden and strengthen their ability to identify and manage vendor cyber risk.  As part of this growth, Software Bill of Materials (SBOM) analysis and triage capabilities are increasingly an important part of the TPRM toolkit. 

A Software Bill of Materials is a nested inventory for software — a list of ingredients that make up software components. This inventory enables the immediate identification of what dependencies and software components a given application depends on, and thereby determine underlying vulnerabilities that might affect that application or service, opening a vector for cyber attacks. 

The growing focus on SBOMs is timely. According to the Open Source Software Risk Analysis (OSSRA) Report by Synopsys, more than 85% of open-source software contains some underlying software vulnerability. Various regulatory standards are leading the way on and incentivizing adoption of SBOM analysis both across the world and in specific sectors, as are the recommendations and best practices of mature enterprise companies and government agencies.

What are Software Bills of Materials Useful for in TPRM?

SBOMs are machine-readable inventories of components that make up a given software. They are useful for analyzing third-party software and services for rapid identification of risks. When used effectively, SBOMs can identify vulnerabilities that might otherwise go unidentified or take a long time to detect. 

SBOMs can grant: 

• Transparency into outdated, vulnerable or unauthorized components in third-party software 
• Vulnerability management by mapping known CVEs to software components to rapidly assess if a vulnerability (like Log4J) affects a third-party software 
• Vendor risk assessment advantages by providing insight into software development practices of vendors 
• Incident response readiness by helping to identify if and where an affected component is used in vendor-supplied software 
• Regulatory compliance, as many standards now require or recommend maintaining third-party SBOM inventories, such as R155, Executive Order 14028, Section 524B, the European Cyber Resilience Act, and the EU’s NIS2 and DORA  

These inventories can grant extra depth of understanding and oversight to third-party procurement, collaboration, and dependency. At a time when more vigilance towards third parties is needed more than ever, any modern TPRM solution should have this depth of vision and analysis included.

Supply Chain Defense Now Includes SBOM

BlueVoyant has recently partnered with SBOM industry leader Manifest to enhance the capabilities of its TPRM platform, Supply Chain Defense. Supply Chain Defense, a highly configurable and comprehensive platform for measurably reducing cyber risk, now includes a leading SBOM analysis capability. 

Users of SCD can now manage the review of critical vendor software packages and components directly in the BlueVoyant platform. 

Like the previously mentioned questionnaires, SBOM can be a manual process. Combining that with continuous monitoring gives you a comprehensive view of your third-party cyber risk posture in one holistic platform. 

The secure platform allows users to ingest, track, continuously monitor and analyze SBOMs, supporting all versions of CycloneDX and SPDX standards. The platform exposes vulnerabilities and helps organizations prioritize fixes, with automated cross-referencing of known vulnerabilities and their exploitability. Moving forward, an effective TPRM program that wants to focus on actual risk reduction will need to incorporate the visibility and capabilities of SBOM analysis into their solution set.