With the recent talk of software bills of materials (SBOMs) in the news, it may seem like SBOMs are a new concept, but they’ve actually been around for over a decade. The Software Package Data Exchange (SPDX) standard was created in 2010 to communicate SBOM information, such as components, licenses, copyrights, and security references. SBOMs have only become more popular with the rise of attacks on software supply chains, and there are now federal regulations that require an SBOM when doing business with federal government entities.
Hardware bills of materials (HBOMs) have been around much longer but are becoming more commonplace in the tech industry as more companies look to secure their cyber footprints.
In this blog, we’ll discuss the difference between SBOMs and HBOMs and which one you’ll need depending on whether you’re a supplier or asset owner.
A software bill of materials (SBOM) is a list of all of the components that make up a piece of software. They allow software developers to prove the components they use in their products are secure and adhere to suitable cyber hygiene practices.
SBOMs help software asset owners understand the products they’re adding to their environment and enable security operations (SecOps) teams to identify any vulnerabilities quickly should they arise.
SBOMs identify the following types of risk:
A hardware bill of materials (HBOM) lists every physical piece or component used to build a product. HBOM analysis provides manufacturers, asset, or program owners with information to make decisions about the origins or security risks of a given product or technology.
For example, in the defense or telecommunications industries, you may have regulations about what company components can be included in a product. An HBOM will provide the provenance of parts in a product so you can make informed decisions on whether to move forward with the purchase of that device.
HBOMs can identify the following:
For software suppliers and software asset owners, SBOMs have several use cases. Let’s break it down.
Just like SBOMs for software suppliers and software asset owners, HBOMs have several use cases, too.
For manufacturing purposes: HBOMs remove ambiguity in the manufacturing process so products can be made consistently at scale. They’re also used to control quality, for example, when a contract manufacturer is used to produce a product, specific parts are listed in the HBOM to prevent the manufacturer from substituting cheaper parts. It also aids in production planning, purchase decisions, and material provision.
For sales purposes: HBOMs can be used in the sales process to prove a product is secure and isn’t adding unexpected components to an asset owner’s IT environment.
For compliance purposes: Similar to suppliers, an asset owner may request an HBOM to make sure all the pieces of a product meet regulatory requirements. If a defense company comes across a banned component of a product, it may choose not to work with that supplier.
For procurement purposes: Similar to compliance purposes, asset owners may require HBOMs from suppliers for assurance. Asset owners can verify if the parts in a received product match what is listed in the HBOM. Potential risks to the supply chain include obsolescence, vulnerabilities, non-conformances, counterfeits, and foreign influence.
Whether you need an SBOM or HBOM depends on your situation and your needs. SBOMs may be used in continuous monitoring and incident response situations, whereas HBOMs are used in procurement and the spot-checking of products.
As software companies release updates or patches, components and subcomponents change, which requires up-to-date info for SecOps teams.
If you’re a supplier regularly working with federal entities, it’s wise to have SBOMs and HBOMs available when heading into RFPs or sales calls. If you’re an asset owner, it’s also wise to request an SBOM and HBOM during the procurement process as a precaution.
When you work with Fortress, we can either request SBOMs and HBOMs from companies on your behalf, or help create them for you.
For SBOMs, our team analyzes software and looks for component vulnerabilities, and we advise on ways to remediate them. For HBOMs, our tear-down team will purchase a device and conduct a full dismantle to identify all pieces contained within. We’ll send you a full report with a list of all the parts, their provenance, and more.
Learn more about Fortress SBOMs and HBOMs and how they can help your company today.