{"id":8450,"date":"2022-06-16T09:00:00","date_gmt":"2022-06-16T09:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-5090\/"},"modified":"2026-05-10T19:06:16","modified_gmt":"2026-05-10T19:06:16","slug":"software-supply-chain-security-how-sboms-create-the-transparency-thats-been-missing","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2022\/06\/16\/software-supply-chain-security-how-sboms-create-the-transparency-thats-been-missing\/","title":{"rendered":"Software Supply Chain Security: How SBOMs Create the Transparency That\u2019s Been Missing"},"content":{"rendered":"<p><strong>SolarWinds, Log4Shell, MOVEit  &#8211;  every major supply chain attack of recent years could have been contained faster with a Software Bill of Materials (SBOM). SBOMs list every component in a software application and enable organizations to determine &#8211; within minutes &#8211; whether they\u2019re affected. Without them, that same assessment can take weeks.<\/strong><\/p>\n<h2>TL;DR<\/h2>\n<ul>\n<li>US Executive Order 14028 mandates SBOMs for vendors supplying federal agencies<\/li>\n<li>The EU Cyber Resilience Act (CRA) requires SBOMs starting in 2027 for all digital products placed on the EU market<\/li>\n<li>Standard formats: SPDX (Linux Foundation) and CycloneDX (OWASP)<\/li>\n<li>The US National Telecommunications and Information Administration (NTIA) defines minimum requirements: supplier, component, version, and dependency<\/li>\n<\/ul>\n<h2>What an SBOM Actually Is<\/h2>\n<p>An SBOM is a machine-readable inventory of all software components: libraries, frameworks, dependencies &#8211; with name, version, license, and origin. Think of it like a food ingredient label: you know exactly what\u2019s inside.<\/p>\n<p>In practice: When a new vulnerability like Log4Shell emerges, an organization with SBOMs can identify &#8211; in minutes &#8211; which of its products contain the vulnerable component. Without SBOMs, teams face a manual, weeks-long forensic search.<\/p>\n<h2>Regulatory Pressure Is Mounting<\/h2>\n<p>The US led the way: Executive Order 14028 requires software suppliers to federal agencies to provide SBOMs. The EU is following suit with the Cyber Resilience Act (CRA), which mandates SBOMs starting in 2027 for all digital products sold in the EU.<\/p>\n<p>For German software vendors and manufacturers of digital products, this is a countdown: failure to deliver SBOMs by 2027 means losing market access &#8211; in both the US and the EU.<\/p>\n<h2>Integration into the Development Process<\/h2>\n<p>SBOMs shouldn\u2019t be created retroactively. Instead, they must be generated automatically during the build process. Tools such as Syft, Trivy, CycloneDX CLI, or SPDX-Tools integrate seamlessly into CI\/CD pipelines and produce SBOMs with every release.<\/p>\n<p>The workflow: the build generates the SBOM; the SBOM is scanned against vulnerability databases (NVD, OSV); if critical findings emerge, the release is blocked. This <em>is<\/em> DevSecOps in action &#8211; transparency baked in as an automated quality standard.<\/p>\n<h2>SBOM Management: More Than Just Generation<\/h2>\n<p>Generating an SBOM is only the first step. Real value comes from continuous SBOM management: newly published CVEs are automatically matched against existing SBOMs; customers receive proactive notifications when impacted components are identified; and SBOMs are updated with every product release.<\/p>\n<p>Platforms like Dependency-Track (OWASP, open source) or commercial solutions such as Anchore and Sonatype automate this entire lifecycle. The effort required is minimal &#8211; the payoff in a real incident is enormous.<\/p>\n<h2>Key Facts<\/h2>\n<p><strong>Transparency:<\/strong> SBOMs reduce response time to new CVEs &#8211; from weeks down to minutes<\/p>\n<p><strong>Regulation:<\/strong> US Executive Order 14028 + EU CRA make SBOMs mandatory by 2027<\/p>\n<p><strong>Adoption:<\/strong> SBOM generation rose 300% after Log4Shell (Sonatype)<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<h3>Which format should I use?<\/h3>\n<p>Use CycloneDX (OWASP) for security-focused SBOMs; SPDX (Linux Foundation) for license compliance. Both are machine-readable and interoperable. CycloneDX offers stronger integration with VEX (Vulnerability Exploitability eXchange).<\/p>\n<h3>Do I need to generate SBOMs for open-source dependencies?<\/h3>\n<p>Yes &#8211; and that\u2019s precisely where the greatest value lies. Most modern applications consist of 70-90% open-source components. Without SBOMs covering those dependencies, vulnerability management remains blind.<\/p>\n<h3>How should I share SBOMs with customers?<\/h3>\n<p>Three models exist: direct delivery with each release, access via an SBOM portal, or provision upon request. The CRA will likely require proactive, automatic sharing. Establish your process now &#8211; before the mandate takes effect.<\/p>\n<h2>Related Articles<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2025\/10\/23\/post_id-4973\/\">Open Source Is the World\u2019s Greatest Security Risk  &#8211;  And We\u2019re All Ignoring It<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2023\/07\/13\/post_id-5050\/\">Security by Design in Software Development: Why Patching After the Fact Isn\u2019t Enough<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/?p=3282\">The MOVEit Hack: Anatomy of a Supply Chain Attack That Hit Thousands<\/a><\/li>\n<\/ul>\n<h2>More from the MBF Media Network<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.cloudmagazin.com\">Cloud Magazin<\/a>  &#8211;  Cloud, SaaS &amp; IT Infrastructure<\/li>\n<li><a href=\"https:\/\/www.mybusinessfuture.com\">myBusinessFuture<\/a>  &#8211;  Digitalization, AI &amp; Business<\/li>\n<li><a href=\"https:\/\/www.digital-chiefs.de\">Digital Chiefs<\/a>  &#8211;  C-Level Thought Leadership<\/li>\n<\/ul>\n<p><em>Header Image Source: Pexels \/ Mike Bird<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"SolarWinds, Log4Shell, MOVEit &#8211; every major supply chain attack of recent years could have been contained faster with a Software Bill of Materials (SBOM). SBOMs list every component in a software application and enable organizations to determine &#8211; within minutes &#8211; whether they\u2019re affected. Without them, that same assessment can take weeks. TL;DR US Executive [&hellip;]","protected":false},"author":55,"featured_media":5089,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"sboms","_yoast_wpseo_title":"Software Supply Chain Security: How SBOMs Create the Transparency That\u2019s Been Mi","_yoast_wpseo_metadesc":"SBOMs enhance software supply chain security by providing full component transparency, helping prevent breaches\u2014discover how SBOMs protect your software now.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":["post_id-5090"],"footnotes":""},"categories":[217],"tags":[245],"class_list":["post-8450","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-innovation","tag-compliance"],"evm_reading_time_minutes":4,"wpml_language":"en","wpml_translation_of":5090,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/8450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=8450"}],"version-history":[{"count":5,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/8450\/revisions"}],"predecessor-version":[{"id":14408,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/8450\/revisions\/14408"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/5089"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=8450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=8450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=8450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}