Special
Secure software starts with the right ingredients!
Secure software requires transparency – keep track of all components with SBOMs.
Greater security with SBOMs
Connected and software-controlled systems place high demands on the security of digital components. One of the key challenges is to identify all software components used without exception and to make their origin traceable. This is precisely where the Software Bill of Materials (SBOM) comes in.
What is a Software Bill of Materials (SBOM)?
An SBOM is a detailed list of all software components and their dependencies used in a system or application. It can be thought of as an “ingredients list” for software products that transparently discloses exactly what has been used.
This transparency offers numerous advantages:
- Better control and visibility: Developers and security managers can see at a glance which components are present and whether they contain potential security vulnerabilities.
- More efficient risk assessment: Security analyses and patch management become faster and more accurate, as it is immediately clear which components could be affected by a vulnerability.
- Compliance: More and more regulatory requirements and industry standards explicitly require the use of an SBOM, for example in medical technology, the automotive industry, and critical infrastructure.
SBOM and security: an unbeatable duo
In the context of cybersecurity, the SBOM plays a crucial role, especially in light of growing cyber threats such as supply chain attacks. The clear overview allows security incidents to be quickly traced to identify which components may be affected, enabling targeted measures to be taken.
How do you create an SBOM?
There are various established standards and formats for creating an SBOM, including:
- CycloneDX: Widely used, especially in software development and DevOps pipelines.
- SPDX (Software Package Data Exchange): An open standard supported by the Linux Foundation.
Modern software development tools enable SBOMs to be created automatically during the development process. This reduces manual effort and minimizes sources of error.
SBOM at GELin
At GELin, Ginzinger's embedded Linux distribution that has been used in many customer products for many years, the creation and use of SBOMs has long played a key role. In addition to its relevance for cybersecurity, GELin in SBOM also forms the basis for open source compliance by listing not only components and versions but also license characteristics.
Ginzinger originally developed its own format long before CycloneDX and SPDX became industry-recognized standards. The SBOM tool is currently being expanded to include the two established standards CycloneDX and SPDX to ensure full compliance with the requirements of the Cyber Resilience Act (CRA).
Transparency as the key to secure software
The SBOM is not an optional addition to embedded projects, but an essential component of modern IT security strategies. By comprehensively documenting the software components used, companies create transparency and predictability, improve their responsiveness in emergencies, and comply with regulatory requirements more efficiently. A solid SBOM is crucial for ensuring secure and reliable software solutions in the long term.