Bsides Bangalore 2024

Talk Slides

Talk Abstract

Software Bill of Materials (SBoM) has rapidly become a prominent topic in the security world over the past few months. From 2021 to 2024, the industry’s engagement with SBoMs raises critical questions: Are we fully leveraging their potential? Are efforts being made to create SBoMs in the first place? A frequent topic of debate is whether an SBoM should remain confidential or be shared—should it be protected, or openly accessible?

On one hand, SBoMs represent a revolutionary approach to maintaining software inventories, potentially simplifying the management of digital assets. However, there is a concern that the inclusion of infrastructure and additional elements complicates matters, transitioning from KBom, to Cbom, to Xbom. Is this merely an overenthusiastic expansion, or is there a genuine necessity for these variations?

Conversely, there are arguments that SBoMs represent an excessive investment with minimal returns, particularly when organizational strategies and codebases are subject to frequent changes, leading to uncertainties in their long-term utility.

Moreover, while SBoMs are typically discussed in the context of security, this presentation will explore other potential applications. By addressing these points, the presentation aims to clarify the current and future roles of SBoMs in the industry.

AI Generated Summary

AI Generated Content Disclaimer

Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.

This presentation at Bsides Bangalore examines the Software Bill of Materials (SBoM) landscape with a balanced, pragmatic lens — exploring whether SBoM is a passing compliance fad or a genuinely transformative capability for the IT industry. Anant Shrivastava walks through what SBoMs are, the competing standards, industry skepticism, practical security benefits, and crucially, how to make SBoMs valuable beyond security teams by positioning them as a cross-functional organizational asset for development, M&A, compliance, and risk management.

Key Topics Covered

SBoM Fundamentals:

An SBoM is an itemized list of all third-party components in software, including name, version, checksum, license information, and dependency relationships
SBoMs are typically one level deep, with nested SBoMs plugged into each other for deeper visibility
The US Executive Order on cybersecurity catalyzed SBoM adoption, but the mandate focuses on creation with no direction on usage or consumption

Competing Standards:

SPDX — ISO standard, default export format on GitHub
CycloneDX — OWASP-supported format
SWID — alternative ISO specification
Each format has different strengths, contributing to fragmentation in the ecosystem

SBoM Generation Tooling:

GitHub dependency graph (Insights tab) and API-based export
cdxgen (CycloneDX generator)
SPDX tools
Manual creation as a fallback since SBoM formats are XML-based

Industry Skepticism and Resistance:

Concerns about disclosing software composition to competitors
Belief that SBoM is only relevant for US-market vendors
Argument that time spent building SBoMs would be better spent fixing bugs
Lack of clarity on what to do with SBoMs once generated — the industry has never had well-maintained software inventory and lacks processes for leveraging one

Problems Created by the Software Industry:

Automated build pipelines enable faster releases but reduce incentive to upgrade dependencies
Heavy reliance on open-source without supporting maintainers
Impossible segregation of features and bug fixes in dependency updates
Automated vulnerability notifications creating alert fatigue (the “hedonic hamster wheel”)

SBoM’s Security Value:

Identifying incorrect or unauthorized software use
Rapid impact assessment during incidents like Log4Shell
Understanding blast radius when a core component has a security bug
Fundamentally solving the inventory problem that has plagued information security

Evolving Security Landscape — xBoMs and Beyond:

VDR (Vulnerability Disclosure Report) and VEX (Vulnerability Exploitability eXchange)
Expanding BoM variants: SaaSBOM, HBOM, ML-BOM, CBOM, MBOM, OBOM
Attestations as a trust mechanism

Existing Tooling Ecosystem:

OWASP CycloneDX, Google SLSA, SPDX
SafeDep for policy-driven security
Dependency-Track for vulnerability management
SYFT by Anchore for SBoM generation

SBoM Beyond Security — Cross-Functional Value:

Development: manage technical debt, reduce dependency scatter, consolidate package usage, simplify selection for new projects
Acquisitions & Mergers: assess cost of ownership (outdated/EOL software signals high post-acquisition cost), evaluate tech stack alignment, identify non-cohesive teams
Compliance: license policy enforcement at component level, identify GPL-style restrictions, flag potential rework costs from non-compliant licenses
Risk Management: quantify risk of purchasing vendor software, assess risk tolerance per deployment context, evaluate trust boundaries for sensitive data flows

Making SBoM Stick:

Security is a cost center — SBoM must demonstrate value to profit centers (HR, Finance, business units)
Inventory enables data-driven decisions across the organization
Better tooling with improved UX is essential — current tools are not accessible to non-practitioners
Focus on building tools for others, not just for security teams

Actionable Takeaways

Start generating SBoMs using tools like cdxgen, GitHub dependency graph, or SPDX tools — the generation problem is largely solved, but consumption remains the real challenge.
Consolidate SBoMs across your organization into a unified inventory to draw cross-functional inferences rather than treating each SBoM in isolation.
Position SBoM value beyond security by demonstrating its utility for development (technical debt tracking), M&A due diligence, compliance (license enforcement), and risk management.
Address industry resistance head-on by framing SBoM as an inventory enabler — the same data serves security, legal, finance, and engineering needs.
Invest in better UX for SBoM tooling — current tools are built by practitioners for practitioners, limiting adoption by the broader organization.
Use SBoM data to make quantifiable, dollar-value arguments: cost of upgrading vs. not upgrading, licensing rework costs, and risk assessment for vendor software procurement.
Explore the emerging xBoM ecosystem (VEX, SaaSBOM, HBOM, ML-BOM) and attestation frameworks to stay ahead as the compliance landscape evolves.

Bsides Bangalore 2024