SBOMs (as well as HBOMs and CBOMs) as Cybersecurity Facilitators

Forbes

29-04-2025

Cyber security, information privacy and data protection concept on server room background.
Software Bills of Materials (SBOMs) are crucial cybersecurity tools because they assist companies in locating, evaluating, and reducing software risks. They allow software updates and vulnerabilities to be tracked over the course of a product's lifecycle.
Modern software is created using code fragments and methods from various sources, including open source and commercial solutions. The software components and dependencies of an application are detailed in a tool known as a Software Bill of Materials (SBOM) (NTIA, 2021). An SBOM is essential for managing and understanding the complexities of contemporary software supply chains and can be compared to an ingredient list on a food product label. A software package and its contents are uniquely identified by an SBOM, which is formal, machine-readable metadata that may also contain information on the software package's contents, such as copyrights and license information.
The increasing complexity of modern software and its vulnerability to programming errors and hacks give rise to serious security dangers and compatibility issues. Additionally, cyberthreats are continually finding ways of evolving, becoming more complicated, and multiplying due to the use of artificial intelligence and the quick acceleration of development velocity. It becomes more difficult to identify and address security vulnerabilities when we are looking not only at our codebase but also at the 70–80% open-source software that we depend on, as well as third-party software components from other vendors. However, a few tools can assist in handling the data protection work.
Recent high-profile events highlight the need for SBOMs in cybersecurity. A programming flaw in the CrowdStrike software, for instance, affected more than 8.5 million Windows computers globally, resulting in billions of dollars' worth of losses. The well-known Linux data compression program XZ Utils was found to contain a backdoor as part of a sophisticated state actor attack around the beginning of 2024. 93% of cloud settings were vulnerable to the zero-day Log4Shell vulnerability in 2021. In the SUNBURST assault, which FireEye discovered in December 2020, harmful code was embedded into SolarWinds' Orion software.
According to Allan Friedman, CISA Senior Advisor and Strategist. 'A thriving ecosystem for SBOM tools and solutions will be key to shaping a more transparent software-driven world.' He notes that 'Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently.
The government-wide push to integrate cybersecurity into products supplied to the government and transfer responsibility for cybersecurity from agencies to vendors and integrators is reflected in this emphasis on SBOMs.
By February 2025, almost all new software that the Army purchases or develops will need to have an SBOM. In order to obtain assurances regarding supply-chain security, the Army opted for an SBOM approach rather than self-attestations. This is because SBOMs offer essential information regarding the risks that systems may pose to a network and can assist in organizing an organization to minimize those risks as much as possible.
3D illustration of the text zero trust over black background with padlock shapes in relief. Concept ... More of network security.
SBOMs play a significant role in cybersecurity and align with 'Zero-Trust' policies in both the private and public sectors. Dmitry Raidman. Chief Technology Officer and Co-founder of Cybeats, states, 'One significant advantage of a verified SBOM is its application in cybersecurity and risk mitigation for the downstream customers, for example, a power distribution plant, hospital, or water treatment facility. Industry studies indicate that the average codebase contains 70-80%, and in some cases over 90% open-source software components, many of which have at least one vulnerability, and some of them are highly exploitable, like Log4j. Therefore, understanding and continuously monitoring code components and their vulnerabilities is essential.' He points out that companies that collect from vendors SBOMs and invest in solutions to process and monitor the vulnerability lifecycle management of their assets will be better prepared to deal with cybersecurity challenges in the future and ensure the safety, security, and resilience of their critical systems and infrastructure.
SBOMs can help businesses track vulnerabilities in real time and maintain an accurate software inventory. Continuous security requires ongoing Vulnerability Lifecycle Monitoring. In order to detect and address known vulnerabilities and not just rely on security advisories published by vendors, where it is to the vendor's discretion what vulnerability to disclose, an SBOM can offer transparency into the precise software versions being used and allow complete understanding of the threat landscape. Additionally, it facilitates the management and quantification of commercial software licenses. Organizations can compare SBOM data with databases like NIST NVD and CISA KEV to find and prioritize affected systems when new CVEs are found and also record their findings if the vulnerability doesn't pose a risk in their operations and environment.
To help evaluate SBOM component information against different threat signatures and patterns, the National Security Agency (NSA) supports the use of AI/ML engines and related "data lakes." A crucial component of efficient SBOM management is vulnerability tracking and analysis, which entails delivering daily updates from the National Vulnerability Database (NVD) and additional vulnerability data sources.
SBOMs are crucial for Incident Response and Threat Intelligence. They help security teams quickly identify compromised components in apps and determine available mitigation options and vendor updates during a cyber incident.
A major cause of breaches is vulnerabilities based on the Verizon 2025 DBIR Report. There is a 34% increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches, compared to 2024. The bling spot of awareness and a patching strategy is a significant factor affecting these numbers. Risk-Based Patch Management suggests that not every vulnerability needs immediate fixing. Teams can prioritize threats by combining SBOMs with Vulnerability Threat Intelligence (VTI), particularly if there's a known exploit for mitigating vulnerability.
Compliance and regulation concept. Enforcement of laws, regulations, and standards, requirements, ... More internal policies and procedures. Minimize legal and financial risks, protect corporate reputation.
GRC, SBOMs assist in ensuring compliance and regulatory readiness throughout the procurement lifecycle and can help to avoid buying non maintained and non-secure product. Organizations are required to demonstrate that they monitor and manage risk throughout their software supply chain lifecycle in accordance with new government regulations regarding safe software development. SBOMs provide documentation for compliance with FDA, NIST, PCI DSS, PCI SSF, EU CRA, RED, ETSI EN 303 645, BSI TR-03183, EO 14028, as well as the upcoming US DoD procurement requirements.
A "software bill of materials" (SBOM) has become a crucial component of software security and software supply chain risk management, according to CISA. As businesses rely more on third-party components and complex systems, software supply chain security has become a top responsibility. Vulnerability management must be implemented throughout the software lifecycle, from design to deployment and operations, to handle the entire range of security threats. This all-encompassing strategy, sometimes referred to as "shifting left and even more important shifting right, guarantees that vulnerabilities are consistently recognized, evaluated, and reduced.
In 2019, the medical technology sector launched a proof of concept to assess SBOMs' ability to manage operational and cyber risks in medical devices. Device makers (MDM) and healthcare (HDO) providers demonstrated the feasibility of SBOMs by producing, exchanging, and applying data to improve security procedures. In 2025, with a growing digital risk landscape, all industries must utilize SBOMs to help enable better cybersecurity and transparency into software based products they build and the ones they consume.
It does not end with software. As teams embed AI models and language pipelines across their products, an Artificial Intelligence Software Bill of Materials (AI SBOM) becomes essential. An AI SBOM lists every model file, training dataset, agent, and external inference service, giving product security teams the same clear inventory they expect from a traditional SBOM, down to the last line of code. Dmitry Raidman explains that an AI SBOM provides 'an X ray view of the intelligent functionality,' allowing teams to know exactly what is running in production, how it was trained, and what they are receiving from vendors or delivering to customers.
A Hardware Bill of Materials (HBOM) performs the same role for physical components. It maps every chip, board, sensor, and firmware version so security and procurement teams can detect counterfeit parts and unvetted substitutions before they reach production. A long-planned pager hardware supply chain attack reported in Lebanon underscored why HBOM transparency and validation matter; altered pagers were covertly introduced and later exploited, showing how a single tampered device can become a beachhead for wider compromise when hardware provenance is unclear.
A Cryptography Bill of Materials, CBOM, catalogs every algorithm, protocol, library, and certificate in your products, giving security teams a clear map of where cryptography lives. With quantum safe standards such as CRYSTALS Dilithium on the horizon, you must know exactly where RSA 2048-bit or ECC P-256 still protect data so you can schedule timely upgrades to post quantum cryptography. Dmitry Raidman sums it up: 'A CBOM is your migration roadmap. When quantum capable attackers will be on the horizon you cannot replace vulnerable ciphers, you do not even know you have.'
SBOMs, HBOMs, and CBOMs will be crucial for risk management in our digital environment in the future. Even though the 'BOM' adoption cycle is still in its early phases, more transparency and accountability about hardware security, software security, and optimization will benefit both the public and private sectors.