4004 news
· The InfoQ Podcast · 4 min read

The Rise of SBOMs and Software Supply Chain Security

Explore the critical importance of Software Bill of Materials (SBOMs) as a shift from optional to mandatory compliance in the EU's Cyber Resilience Act. This analysis covers the operationalization of SBOMs for security audits and the risks associated with generic tooling in the CI/CD pipeline.

Cybersecurity Software Engineering Regulatory Compliance

The Shift from 'Good Enough' to Mandatory Compliance

In the current software landscape, the lack of comprehensive visibility into software dependencies is a systemic market failure. For too long, security has been treated as a cost center rather than a a priority. However, a paradigm shift is occurring, driven by legislative mandates such as the US Executive Order 14028 and the European Union's Cyber Resilience Act (CRA). Unlike previous regulations like GDPR, where fines were the primary deterrent, the CRA carries a significantly higher risk: the potential for products to be blocked entirely from the European market.

Operationalizing SBOMs for Real-World Utility

An SBOM (Software Bill of Materials) should not be treated as a 'tick-box' exercise for compliance. When operationalized, it becomes a powerful tool for security and license audits. By integrating SBOMs into the CI/CD pipeline, organizations can automate the detection of CVEs (Common Vulnerabilities and Exposures) and utilize VEX (Vulnerability Exploitability eXchange) statements to filter out non-impactful vulnerabilities, reducing noise and focusing engineering effort on actual risks.

The Tooling Gap and Pipeline Security

There is a a critical gap between generic SBOM tools and high-quality, ecosystem-specific tooling. Generic tools often fail to reach the 'NTIA minimum element' gold standard of quality. Furthermore, the recent compromise of Trivy serves as a cautionary tale about the dangers of using long-lived credentials and relying on mutable Git tags in CI/CD pipelines. To mitigate these risks, organizations must move toward OIDC and pinning GitHub Action modules to specific hashes rather than versions.

Conclusion

As SBOMs move toward becoming first-class citizens in trust centers, the ability to provide a transparent, signed, and reproducible inventory of software ingredients is no longer optional. Companies that prioritize high-quality SBOM generation and secure pipeline infrastructure now will be better positioned to navigate the upcoming regulatory wave and defend against supply chain attacks.

Key insights

  1. The EU Cyber Resilience Act (CRA) represents a 'GDPR moment' for software, as the penalty for non-compliance is the blocking of products from the European market rather than just financial fines.

    Regulatory Compliance →

    Impact: Companies must immediately prioritize SBOM generation to maintain market access to the European Union.

  2. Generic SBOM tools often fail to meet NTIA minimum element compliance, as ecosystem-specific tools usually produce higher quality metadata and more accurate dependency trees.

    Software Tooling →

    Impact: Organizations may have a false sense of security if they rely on generic scanners that produce 'garbage in, garbage out' data.

  3. The compromise of Trivy underscores the risk of using long-lived credentials in CI/CD pipelines and relying on mutable tags in GitHub Actions.

    Infrastructure Security →

    Impact: A shift toward OIDC and hash-pinning for all pipeline dependencies is required to prevent supply chain poisoning.

Action items

  • Transition from using version tags to pinning all GitHub Action modules and dependencies to specific commit hashes.

    Impact: Prevents the execution of compromised code through overwritten releases/tags in the CI/CD pipeline.

  • Implement OIDC (OpenID Connect) and short-lived credentials in the CI/CD pipeline to replace long-lived static secrets.

    Impact: Reduces the blast radius of a pipeline compromise by eliminating permanent access keys.

  • Audit existing lock files and transition to modern package managers (e.g., UV for Python, Bun for JavaScript) that generate higher quality, pinned dependency trees.

    Impact: Increases the accuracy of SBOMs and simplifies the security auditing process for transitive dependencies.

Quotes

“The stick here is having a product block from the European market, which is a much, much bigger stick than just fines.”
“If you purely treat this exercise as a tick box exercise... then you're not really reaping at the benefits of generating this.”
“The time to get on top of S Bombs is now. I expect all future compliance frameworks to require SBOMs.”