With the recent talk of software bills of materials (SBOMs) in the news, it may seem like SBOMs are a new concept, but they’ve actually been around for over a decade. The Software Package Data Exchange (SPDX) standard was created in 2010 to communicate SBOM information, such as components, licenses, copyrights, and security references. SBOMs have only become more popular with the rise of attacks on software supply chains, and there are now federal regulations that require an SBOM when doing business with federal government entities.
Hardware bills of materials (HBOMs) have been around much longer but are becoming more commonplace in the tech industry as more companies look to secure their cyber footprints.
In this blog, we’ll discuss the difference between SBOMs and HBOMs and which one you’ll need depending on whether you’re a supplier or asset owner.
What is a Software Bill of Materials (SBOM)?
A software bill of materials (SBOM) is a list of all of the components that make up a piece of software. They allow software developers to prove the components they use in their products are secure and adhere to suitable cyber hygiene practices.
SBOMs help software asset owners understand the products they’re adding to their environment and enable security operations (SecOps) teams to identify any vulnerabilities quickly should they arise.
SBOMs identify the following types of risk:
- Vulnerability - How many, the severity, and the type
- Dependency - Dependencies, components, and subcomponents that are outdated within the product
- License - Can this product be used commercially, or are modifications required to be publicly released?
What is a Hardware Bill of Materials (HBOM)?
A hardware bill of materials (HBOM) lists every physical piece or component used to build a product. HBOM analysis provides manufacturers, asset, or program owners with information to make decisions about the origins or security risks of a given product or technology.
For example, in the defense or telecommunications industries, you may have regulations about what company components can be included in a product. An HBOM will provide the provenance of parts in a product so you can make informed decisions on whether to move forward with the purchase of that device.
HBOMs can identify the following:
- Configuration - How the product was assembled
- Provenance - Where the parts came from
- Obsolescence - Whether the product is using old or obsolete parts
- Non-conformities - The ways a product is different from other similar products on the market
SBOM Use Cases
For software suppliers and software asset owners, SBOMs have several use cases. Let’s break it down.
- For compliance purposes: When suppliers provide proprietary software that other companies will buy, those customers need to know what is in the software to ensure they don’t get backdoored.
- People writing software product code need a list of components to get ahead of potential vulnerabilities and weaknesses. They also have to pass internal audits.
- For sales purposes: In these cases, their customers require it. The request for an SBOM is becoming more popular in RFPs from large companies trying to buy new software. In the case of the federal government making purchases, SBOMs will be required starting in 2023.
- For SecOps and PSIRT purposes: Internal SecOps teams must ensure their company and products aren’t being compromised.
Software Asset Owners
- For compliance purposes: Similar to suppliers, software consumer auditors demand SBOMs. The difference is in what these auditors are looking for. They’re analyzing who is in their ecosystem and proof that they’re secure. There is more of an availability for mitigating factors in those audits.
- For procurement purposes: Asset owners require SBOMs from suppliers for assurance, and it’s an emerging situation. As mentioned above, requests for SBOMs in RFPs are becoming more popular, especially at the federal level.
- For security operations purposes: SBOMs are used to monitor the asset owner’s environment for threats, for example, exploitable components in the software running on the network.
- In this instance, having an SBOM is helpful because it allows your security team to know what to look for when new vulnerabilities occur. An SBOM would allow asset owners to quickly find what products are affected and where they are.
HBOM Use Cases
Just like SBOMs for software suppliers and software asset owners, HBOMs have several use cases, too.
For manufacturing purposes: HBOMs remove ambiguity in the manufacturing process so products can be made consistently at scale. They’re also used to control quality, for example, when a contract manufacturer is used to produce a product, specific parts are listed in the HBOM to prevent the manufacturer from substituting cheaper parts. It also aids in production planning, purchase decisions, and material provision.
For sales purposes: HBOMs can be used in the sales process to prove a product is secure and isn’t adding unexpected components to an asset owner’s IT environment.
Hardware Asset Owners
For compliance purposes: Similar to suppliers, an asset owner may request an HBOM to make sure all the pieces of a product meet regulatory requirements. If a defense company comes across a banned component of a product, it may choose not to work with that supplier.
For procurement purposes: Similar to compliance purposes, asset owners may require HBOMs from suppliers for assurance. Asset owners can verify if the parts in a received product match what is listed in the HBOM. Potential risks to the supply chain include obsolescence, vulnerabilities, non-conformances, counterfeits, and foreign influence.
Do I Need an SBOM or an HBOM?
Whether you need an SBOM or HBOM depends on your situation and your needs. SBOMs may be used in continuous monitoring and incident response situations, whereas HBOMs are used in procurement and the spot-checking of products.
As software companies release updates or patches, components and subcomponents change, which requires up-to-date info for SecOps teams.
If you’re a supplier regularly working with federal entities, it’s wise to have SBOMs and HBOMs available when heading into RFPs or sales calls. If you’re an asset owner, it’s also wise to request an SBOM and HBOM during the procurement process as a precaution.
Get Started with Fortress SBOMs and HBOMs
When you work with Fortress, we can either request SBOMs and HBOMs from companies on your behalf, or help create them for you.
For SBOMs, our team analyzes software and looks for component vulnerabilities, and we advise on ways to remediate them. For HBOMs, our tear-down team will purchase a device and conduct a full dismantle to identify all pieces contained within. We’ll send you a full report with a list of all the parts, their provenance, and more.