What does an SBOM contain?
An SBOM details all the software components within an application or system, including third-party libraries, open-source packages, and proprietary code. It lists each component’s version, licence information, and cryptographic hashes for verification. Following high-profile incidents like SolarWinds and Log4j, SBOMs have become crucial for understanding and mitigating software supply chain risks, enabling organisations to quickly identify vulnerable components and apply necessary patches. They provide a baseline for assessing software security posture.
SBOM expectations in Australia today
In Australia, the increasing adoption of SBOMs is driven by several factors. The Critical Infrastructure Security Centre (CISC) SOCI rules mandate improved software supply chain risk management, which includes SBOM generation and consumption. Defence procurement processes are also increasingly requiring SBOMs. Microsoft publishes SBOMs for its Azure SDKs, demonstrating a commitment to transparency. AU mid-market organisations should consider generating or requesting SBOMs from their software vendors to meet compliance obligations and improve their overall cybersecurity resilience, aligning with the ACSC Essential Eight and contributing to a more secure digital ecosystem.