Intermediate

Security Hot Takes: SBOMs

security · hot · takes · sboms · threat · intel · networking · systems · sbom · bills · materials · concept · debate · mandate · software.

Table of Contents


Module 1: Software Bills of Materials — Concept, Mandate, and Practitioner Debate

This briefing captures a candid, debate-style discussion between two security practitioners about Software Bills of Materials (SBOMs) — what they are, why regulators are pushing them, whether the industry effort they demand is actually paying off, and what might come next in the broader “bill of materials” family of supply-chain transparency concepts.

What Is an SBOM? The Manufacturing Bill-of-Materials Analogy

The SBOM concept is modeled directly on the traditional manufacturing bill of materials (BOM). In physical manufacturing, a BOM is a structured list of every component, sub-component, and part required to build a product.

The classic analogy used to introduce the concept: consider a car. As part of that car, there is a steering wheel and an airbag. For that airbag to function correctly, there is an ignition switch as one of its components. If a defect is found in that switch — or in any other component — the manufacturer can issue a recall targeted at exactly the vehicles that contain the defective part, because the BOM tells them precisely which units include it.

Applying this idea to software raises an uncomfortable question: do organizations actually know what components exist inside their environments or inside the codebases they are developing? Modern applications are built from a deep tree of direct and transitive dependencies — libraries, frameworks, and packages that themselves depend on other packages. An SBOM is meant to be the software equivalent of the manufacturing BOM: a structured, machine-readable inventory of every component (and its version) that makes up a piece of software, so that when a vulnerability is disclosed in one of those components, an organization can determine — quickly and precisely — whether it is affected.

One of the practitioners pushed back early on the analogy itself: a physical bill of materials is “easily understood” (it’s like the list of ingredients for a cake), but software is applying that same simple mental model to something far more complex. Software dependency graphs are not a flat list of parts; they are deep, often poorly documented chains of transitive dependencies, and treating “list your components” as a simple, one-time exercise significantly understates the difficulty of doing it well — and keeping it accurate as the software changes.

flowchart TD
    A["Physical Manufacturing BOM"] --> B["Car has a steering wheel + airbag"]
    B --> C["Airbag depends on an ignition switch component"]
    C --> D["Defect found in the switch"]
    D --> E["Manufacturer recalls exactly the affected units"]

    F["Software Bill of Materials (SBOM)"] --> G["Application has direct + transitive dependencies"]
    G --> H["A dependency has a vulnerability (e.g. Log4j)"]
    H --> I["Organization queries its SBOMs"]
    I --> J["Determines precisely which systems are affected"]

    style A fill:#eef
    style F fill:#efe

The Software Supply Chain and SBOM Lifecycle

An SBOM is not a one-time artifact — it is meant to be generated, distributed, and consumed continuously across the software supply chain: from the developer writing code, through the build pipeline, to the vendor shipping a product, and finally to the customer/operator who must track and react to newly disclosed vulnerabilities in that inventory.

sequenceDiagram
    participant Dev as Developer / Build Pipeline
    participant Gen as SBOM Generator (SCA tool)
    participant Vendor as Software Vendor
    participant Cust as Customer / Operating Organization
    participant Feed as Vulnerability Feed (e.g. NVD, OSS advisories)

    Dev->>Gen: Build application with dependencies
    Gen->>Gen: Enumerate direct + transitive components
    Gen->>Vendor: Produce SBOM (CycloneDX / SPDX / SWID)
    Vendor->>Cust: Ship software + attached SBOM
    Cust->>Cust: Ingest SBOM into inventory system
    Feed-->>Cust: New CVE disclosed (e.g. Log4j)
    Cust->>Cust: Query SBOM inventory for affected component/version
    Cust->>Cust: Determine impact within minutes/hours instead of days

This is the practical promise behind the SBOM mandate: instead of waiting for a vendor notification or manually auditing systems after a mass-exploited vulnerability is disclosed, an organization with accurate, queryable SBOMs across its enterprise could, in principle, answer “are we affected?” almost immediately.

The Federal Mandate: Who Requires SBOMs and Who Must Produce Them

There is now a requirement from the US federal government that software used inside the federal space must come with an SBOM. This requirement traces back to a broader push driven in large part by massive vulnerabilities like Log4j, where organizations struggled for days or weeks to determine whether they were even affected.

Key scoping details discussed:

  • The requirement currently applies to federal agencies developing software — those agencies must produce SBOMs for software they build.
  • There is an intent to extend the requirement to procured software — i.e., commercial software purchased and used by agencies, especially where that software touches government-owned data — but this is acknowledged as a much harder thing to implement in practice, given the sheer number of applications (thousands) already in use across the federal government.
  • Historically, when the federal government sets a requirement like this, it tends to trickle down to state and local governments over time, so a broader expected trajectory is more entities eventually being subject to similar rules.
  • A practical realism check was raised: the government can more easily mandate SBOMs for software agencies build in-house than enforce the requirement against the entire universe of vendors and products purchased by an agency.
flowchart TD
    A["US Federal Government SBOM Requirement"] --> B["Applies today: Federal agencies developing their own software"]
    A --> C["Intended future scope: Procured/COTS software touching gov't data"]
    C --> D["Enforcement is much harder — thousands of apps in use"]
    B --> E["Realistically enforceable now"]
    A --> F["Historical pattern: federal mandates trickle down"]
    F --> G["State and local governments likely to follow eventually"]

A cost dimension was raised as well: mandating SBOM production isn’t free. There is a real time and resource cost — not just for the vendors/agencies producing the SBOM, but also for whoever on the receiving end has to actually do something with that data (ingest it, query it, act on it) once it is delivered. The question of who sits in the security operations center consuming this data, and how it concretely helps stop the next Log4j-style event, was raised as an open, unresolved practical concern.

Closed-Source Concerns and the Disclosure Dilemma

A significant friction point with mandatory SBOMs involves closed-source software vendors. Their objection is twofold:

  1. Intellectual property concerns — a full, itemized list of every component used inside a commercial product can reveal architectural and vendor-relationship details that a company considers proprietary.
  2. Security disclosure risk — if a vendor’s SBOM reveals that a shipped product currently includes a component known to be vulnerable, publishing that SBOM is itself effectively announcing a live vulnerability to anyone who can obtain the SBOM, before (or absent) a patch.

This creates a genuine tension between the transparency goal of SBOMs (helping downstream consumers assess risk) and the practical incentives of software vendors (protecting IP and not prematurely broadcasting exploitable weaknesses).

The Three Endorsed SBOM Standards: License, Inventory, and Vulnerability Focus

The federal SBOM automation requirement doesn’t mandate a single data format — it allows organizations to satisfy the requirement using any one of three recognized standards, each with a different original focus:

#Standard (as discussed)Original / Primary FocusRelevance to Security
1License-compliance-oriented format (SPDX lineage)Software licensing and legal complianceLimited direct security value — was not originally designed for vulnerability tracking
2Install/uninstall software identification format (SWID-style tagging)Tracking installed software across an environment (what’s installed, what version)Useful for patch management and version currency, indirectly supports vulnerability management
3CycloneDXPurpose-built for SBOM generation, vulnerability management, and software supply-chain riskMost directly aligned with actual security use cases

The practical consequence called out in the discussion: because an organization can satisfy the federal automation requirement with any one of these three standards, it is entirely possible to be fully “compliant” while using a standard whose primary design goal (e.g., license tracking) contributes little or nothing to actual vulnerability detection or supply-chain risk reduction. In other words: an organization might already be doing software inventory management or patch management with an existing tool, and that alone could satisfy the letter of the requirement — without meaningfully improving the organization’s ability to respond to something like Log4j.

mindmap
  root((NTIA-style SBOM Standards))
    License Compliance Format
      Legal/IP tracking
      Limited security value
    Install/Uninstall Identification
      Software inventory
      Patch & version management
      Indirect security benefit
    CycloneDX
      Purpose-built for security
      Vulnerability management
      Supply-chain risk focus

SBOM Format Examples: CycloneDX, SPDX, and SWID

The narration did not include literal code, but the three format families it describes correspond to well-known, publicly documented SBOM standards. Representative, illustrative examples of each are shown below for reference.

CycloneDX (JSON) — the security/vulnerability-management-focused format:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "log4j-core",
      "group": "org.apache.logging.log4j",
      "version": "2.14.1",
      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
      "licenses": [
        { "license": { "id": "Apache-2.0" } }
      ]
    }
  ],
  "vulnerabilities": [
    {
      "id": "CVE-2021-44228",
      "source": { "name": "NVD" },
      "ratings": [
        { "severity": "critical", "score": 10.0, "method": "CVSSv3" }
      ],
      "affects": [
        { "ref": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1" }
      ]
    }
  ]
}

SPDX (tag-value format) — the license-compliance-lineage format:

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
DocumentName: example-application-sbom
DocumentNamespace: https://example.com/sbom/example-application

PackageName: log4j-core
SPDXID: SPDXRef-Package-log4j-core
PackageVersion: 2.14.1
PackageDownloadLocation: https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-log4j-core

SWID tag (XML) — the install/uninstall software-identification format used for tracking installed software inventory:

<?xml version="1.0" encoding="UTF-8"?>
<SoftwareIdentity
    xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"
    name="ExampleApp"
    tagId="com.example.exampleapp_1.2.3"
    version="1.2.3"
    versionScheme="multipartnumeric">
  <Entity name="Example Corp" regid="example.com" role="softwareCreator tagCreator"/>
  <Payload>
    <Directory name="Program Files/ExampleApp">
      <File name="exampleapp.exe" size="1048576" SHA256:hash="..."/>
    </Directory>
  </Payload>
</SoftwareIdentity>
FormatBody/OriginNative FocusVulnerability DataTypical Consumers
SPDXLinux FoundationLicense compliance, provenanceSupported via extensions, not the original core focusLegal/compliance teams, open-source auditors
SWID (ISO/IEC 19770-2)ISO/IECInstalled-software identification/inventoryNot natively vulnerability-orientedIT asset management, patch management
CycloneDXOWASPApplication security, vulnerability & supply-chain riskNative vulnerabilities object, built for this purposeAppSec/SOC teams, vulnerability management platforms

SBOMs in Incident Response: The Log4j Use Case

The most concrete argument in favor of SBOMs centers on incident response speed. The scenario discussed: when a vulnerability like Log4j is disclosed, an organization with accurate SBOMs across its enterprise could, in principle, query all of them centrally and answer “are we running a vulnerable version of this component, yes or no?” This could compress a response timeline from days or weeks (the real-world experience many organizations had with Log4j) down to potentially an hour or so.

flowchart LR
    A["New critical CVE disclosed<br/>(e.g. Log4Shell)"] --> B{"Do we have accurate,<br/>queryable SBOMs?"}
    B -- "Yes" --> C["Query enterprise-wide SBOM inventory"]
    C --> D["Identify affected systems/versions in ~1 hour"]
    B -- "No" --> E["Manually audit systems, chase vendor confirmations"]
    E --> F["Answer takes days to weeks"]

However, this benefit was directly challenged in the discussion: even without a formal SBOM program, many organizations learned they had Log4j because the vendor told them — the practical difference between vendor notification and querying an internal SBOM was questioned as potentially marginal for organizations that already have basic vendor-relationship and patch-notification processes in place.

The Core Debate: Is the Effort Worth the Outcome?

A large portion of the discussion is a direct, unresolved debate about SBOM ROI:

Skeptical position:

  • SBOMs represent “a bunch of machinery and money and time spent” for an outcome that may amount to little more than “we probably should have put a mitigation in front of Log4j after we heard it was vulnerable.”
  • Every conference and countless articles push SBOMs as a topic, but the actual measurable outcome — beyond knowing about a known vulnerability slightly earlier — is unclear.
  • For organizations that are not top-tier in security maturity, is spending scarce security effort on comprehensive SBOM programs actually the highest-value use of that effort, compared to more foundational gaps?
  • Every third-party dependency is, technically, already “third party” — CVEs are already being disclosed and tracked as third-party vulnerabilities through normal channels (NVD, vendor advisories) regardless of whether an SBOM exists. The specific incremental value of an SBOM on top of that is questioned.

Supportive position:

  • Good SBOM data, covering dependency versions and known vulnerabilities two or three levels deep, would materially help proactive threat hunting — being able to look several dependency layers down and identify vulnerable packages before a vendor discloses anything.
  • Especially with the scale of open-source adoption, where individual maintainers of small, widely-used packages are not necessarily performing comprehensive security vetting themselves, an organization that depends critically on that code has an incentive to independently verify its own exposure rather than rely entirely on upstream disclosure.
  • Security teams should still primarily focus on layered controls (network controls, endpoint controls) to prevent/mitigate issues broadly, and should lean on automation in existing tooling to generate SBOM data as a byproduct, rather than treating SBOM production as a large, manual, standalone program.

A middle-ground conclusion reached in the discussion: the value of SBOM programs is highly dependent on organizational security maturity. Top-tier organizations already doing proactive defense are well positioned to benefit from SBOM-driven threat hunting. For the majority of organizations (the discussion estimates roughly 90%) still working on foundational security controls, heavy investment in SBOM tooling and process may divert effort away from more broadly impactful work — echoing a broader pattern in security where compliance checklist activity substitutes for actually doing the underlying security work it is meant to represent.

flowchart TD
    A["Organization considers SBOM investment"] --> B{"Security maturity level?"}
    B -- "Top-tier / proactive defense" --> C["High value: enables deep threat hunting,<br/>early detection of transitive vulnerabilities"]
    B -- "Foundational / still building basics" --> D["Lower marginal value:<br/>effort may be better spent on basic controls"]
    C --> E["Worth dedicated investment"]
    D --> F["Prefer automated, low-effort SBOM generation<br/>as a byproduct of existing tools"]

Automation and Native Dependency Tracking

A key qualifier raised throughout: much of the practical burden of SBOM production can be automated rather than performed as a manual, standalone compliance exercise. As an example, modern developer platforms like GitHub already natively build dependency-chain information as part of normal development workflow — when a project pulls in third-party libraries, the platform automatically constructs the dependency graph. This kind of native, automated capture is far more sustainable than expecting engineering teams to manually document and maintain an SBOM by hand.

The federal automation requirement itself has three components, per the discussion:

  1. Basic data — the actual component/dependency inventory content.
  2. Automation requirement — the expectation that SBOM generation is automated as part of the software delivery pipeline, not a manual one-off document.
  3. Follow-on actions — an acknowledged “changing process” component, with the hope that requirements will mature and improve over time (tempered by the observation that compliance/paperwork requirements in general tend to become more complex over time rather than more effective).

Beyond SBOMs: The Expanding Family of “Bills of Materials”

Once the SBOM concept is established, the discussion turns to how the same “bill of materials” naming pattern is being extended to other domains, largely because supply-chain risk is not limited to software dependencies alone:

AcronymFull NameScope
SBOMSoftware Bill of MaterialsSoftware components/dependencies and their versions
HBOMHardware Bill of MaterialsPhysical hardware components used to build a device/system
FBOMFirmware Bill of MaterialsFirmware components embedded in hardware
SaaS-BOMSoftware as a Service Bill of MaterialsComponents and dependencies underlying a SaaS product/service
BBOM (proposed)Behavioral Bill of MaterialsExpected runtime behavior of a piece of software (see below)

The observation offered here: for a top-tier organization with genuinely mission-critical systems, an SBOM covering software components alone may not be the “final step” of supply-chain risk management — it may need to be paired with hardware- and firmware-level visibility (HBOM/FBOM) and service-level visibility (SaaS-BOM) to get a complete picture.

mindmap
  root((Bill-of-Materials Family))
    SBOM
      Software components
      Dependency versions
    HBOM
      Physical hardware components
    FBOM
      Embedded firmware
    SaaS-BOM
      Third-party SaaS dependencies
    BBOM proposed
      Expected runtime behavior
      Network egress
      Process spawning
      Resource usage

The BBOM Concept: Behavioral Bills of Materials

The most novel idea raised in the discussion is a proposed Behavioral Bill of Materials (BBOM) — rather than (or in addition to) listing what components exist in a piece of software, a BBOM would describe how the software is expected to behave at runtime. Proposed elements of a BBOM include:

  • What network ports and destination domains the software is expected to reach out to.
  • Whether the software needs internet access at all.
  • What child processes the software is expected to (or should never) spawn.
  • Expected CPU/resource utilization baselines.
  • Whether the software needs to communicate with other internal systems, and which ones.

The motivating example used is the SolarWinds supply-chain compromise: if defenders had a behavioral baseline stating that the SolarWinds server should never communicate with an unexpected external domain (the actual incident involved compromised software beaconing to attacker-controlled infrastructure), that unauthorized communication could have been detected — or outright blocked by an allow-list — regardless of whether the underlying vulnerability/backdoor had been publicly disclosed yet. Under this model, a compromise doesn’t need to be prevented to be rendered harmless; it just needs to be unable to communicate outside its declared behavioral profile.

flowchart TD
    A["Software vendor ships BBOM<br/>(expected behavior baseline)"] --> B["Organization builds allow-list from BBOM"]
    B --> C["Software runs, attempts unexpected outbound connection"]
    C --> D{"Does behavior match declared BBOM?"}
    D -- "Yes" --> E["Allowed to proceed"]
    D -- "No — e.g. beacon to unknown domain" --> F["Blocked and/or alarm raised"]
    F --> G["Exploitation impact contained,<br/>regardless of underlying vulnerability"]

The underlying argument for BBOM over (or alongside) SBOM: it shifts security posture away from hyperfocusing on the presence of a known-vulnerable component (a reactive, patch-chasing model) and toward detecting or blocking anomalous behavior directly (a proactive, containment-first model) — which is argued to generalize better across attack types (not just third-party dependency compromise, but process injection and other techniques that manifest as “the software is doing something it shouldn’t”).

Compliance Theater vs. Genuine Security Value

A recurring thread throughout the discussion is the tension between two words used deliberately: required and helpful — and the observation that not everything that is required is actually helpful. Specific risk points raised:

  • An organization can satisfy the federal automation requirement by using any of the three endorsed standards, including one (the license-compliance-oriented format) that contributes little direct security value — meaning “compliant” and “secure” are not the same thing.
  • Existing software inventory or patch management tooling may already satisfy the letter of the SBOM requirement without providing meaningfully better security outcomes.
  • Compliance activity in general has a tendency to consume disproportionate effort (building checklists, generating paperwork) relative to the security value it produces, diverting resources that could otherwise go toward implementing actual controls.
  • The practical recommendation offered: whatever “bill of materials” concept an organization adopts, every component of the effort should be evaluated against whether it actually contributes to the ultimate goal of securing the organization — not adopted simply because it satisfies a compliance checkbox.
flowchart TD
    A["New 'bill of materials' requirement appears"] --> B{"Does fulfilling it produce<br/>actionable security data?"}
    B -- "Yes" --> C["Invest effort — genuine risk reduction"]
    B -- "No / unclear" --> D{"Is it purely a compliance checkbox?"}
    D -- "Yes" --> E["Minimize effort — automate to satisfy requirement only"]
    D -- "No" --> F["Reassess scope — refine to focus on high-value data"]

Summary

Key takeaways:

  • SBOMs are modeled on the manufacturing bill-of-materials concept: a structured inventory of the components that make up a product, intended to let organizations quickly determine impact when a component-level vulnerability is disclosed.
  • A federal mandate currently requires US federal agencies to produce SBOMs for software they develop, with an aspiration (not yet fully realized) to extend this to procured/commercial software touching government data. Historical pattern suggests state/local requirements may follow over time.
  • Closed-source vendors face a genuine tension between transparency (helping customers assess risk) and both intellectual-property protection and premature vulnerability disclosure.
  • The federal automation requirement can be satisfied via any of three standards with very different security relevance: a license-compliance-oriented format (SPDX lineage), an install/uninstall inventory format (SWID-style), and the security/vulnerability-focused CycloneDX standard — meaning “compliant” does not guarantee “secure.”
  • The strongest argument for SBOMs is faster, more precise incident response (e.g., rapidly determining exposure to a Log4j-style event) and enabling proactive, multi-level dependency threat hunting for mature security teams.
  • The strongest argument against heavy SBOM investment is opportunity cost: for organizations without foundational security maturity, the effort required to build and maintain accurate SBOMs may outweigh the marginal security benefit compared to investing in broader controls.
  • Automation (e.g., native dependency-graph generation in developer platforms) is the recommended path to keeping SBOM production sustainable rather than a manual burden.
  • The “bill of materials” naming convention is expanding beyond software: HBOM (hardware), FBOM (firmware), and SaaS-BOM (service dependencies) all describe the same transparency goal applied to different layers of the supply chain.
  • A proposed Behavioral Bill of Materials (BBOM) — documenting expected runtime behavior (network destinations, process spawning, resource usage) — was raised as a potentially more effective, proactive complement (or alternative) to component-inventory-only approaches, illustrated by how a network-egress allow-list derived from a BBOM could have contained the SolarWinds compromise regardless of the underlying vulnerability.
  • The overarching caution: any bill-of-materials program (software, hardware, firmware, service, or behavioral) should be evaluated on whether it demonstrably contributes to securing the organization — not adopted purely to check a compliance box.

Practical adoption checklist:

  • Determine whether your organization is subject to (or likely to become subject to) SBOM requirements — federal contractor status, government data handling, or industry-specific regulation.
  • Choose an SBOM format aligned with your actual goal: use CycloneDX if the priority is vulnerability management and supply-chain security; use SPDX if license/legal compliance is the primary driver; use SWID-style tagging if the priority is installed-software inventory/patch tracking.
  • Automate SBOM generation as part of your CI/CD pipeline and dependency management tooling rather than producing it manually.
  • Leverage native platform capabilities (e.g., dependency graph features in your source control/package management platform) before investing in additional standalone SBOM tooling.
  • Establish a process to query your SBOM inventory rapidly when a new critical vulnerability (e.g., a future Log4j-scale event) is disclosed, and measure how much it actually reduces response time.
  • Assess your organization’s security maturity honestly before over-investing in deep SBOM-driven threat hunting — prioritize foundational controls (patching, network segmentation, endpoint detection) if those gaps still exist.
  • For mission-critical systems, evaluate whether hardware (HBOM), firmware (FBOM), or SaaS dependency (SaaS-BOM) visibility is also needed, not just software components.
  • Consider documenting expected runtime behavior (network destinations, process spawning, resource baselines) for critical applications as a behavioral baseline, and use it to build network/process allow-lists independent of known-vulnerability status.
  • Periodically audit whether your SBOM/compliance program is producing actionable security outcomes, or has become a checklist exercise disconnected from actual risk reduction.

Search Terms

security · hot · takes · sboms · threat · intel · networking · systems · sbom · bills · materials · concept · debate · mandate · software

More Security Hot Takes & Threat Intel courses

View all 21

Hot Takes: Inside a Microsoft Ransomware Attack

The Marks & Spencer incident is a textbook example of how modern ransomware operations succeed by targeting identity infrastructure and virtualization hosts rather than individual endpoin...

Intermediate

IT Security Champion: Cyber Threat Intel and Emerging Threats

Security is everyone's job — not solely the responsibility of the security department. Adopting a security culture and a security mindset is the foundation of being an effective IT securi...

Intermediate

Security Hot Takes: The LastPass Breach

The LastPass breach is actually two distinct but connected security incidents, separated by several months, with confusing and inconsistent public communication from the company throughou...

Intermediate

Sandworm: Application Layer Protocol and Web Emulation

Command and control is the connective tissue of nearly every intrusion that progresses beyond initial access — without it, an attacker cannot issue commands, move laterally, or exfiltrate...

Advanced

Security Hot Takes: The Aliquippa Water Breach

The Aliquippa Water Authority breach is a case study in how a basic, avoidable systems-integration failure — not a sophisticated exploit — can expose critical infrastructure to compromise...

Intermediate

Security Hot Takes: Are You Pen Testing AI Apps?

AI applications are not "just another web app," and treating them that way leaves organizations blind to an entire class of risk. Historical precedent — such as attackers reverse engineer...

Intermediate

Interested in this course?

Contact us to book it or get a custom training plan for your team.