Organizations need to manage cybersecurity risks in increasingly complex IT and OT infrastructures that are comprised of heterogeneous systems and services, both on-premise and in the cloud. Many of these components are produced or provided by third parties, exposing organizations to various risks that need to be carefully managed and mitigated (a.o. to prepare for log4shelll type scenarios). Software Bill-of-Materials (SBOMs) are gaining popularity as a way to describe software composition and dependencies. SBOMs reveal software vulnerabilities (CVEs) in real time, without needing to rely security advisories from a vendor, leading to a more effective and efficient vulnerability management process.
Potentially, the value of the SBOM concept extends well beyond traditional SecOps. xBOMs can for instance be created to describe the composition and dependencies of hardware (HBOM), cryptographic functions and properties (CBOM), and even AI-ecosystems (AI-BOM). Building on these experiences, TNO has developed BOM formats that describe IT and OT infrastructures, the software running in these systems, and the security objectives that they need to achieve. Such Infrastructure BOMs (I-BOMs) can a.o. provide a basis for advanced risk modelling and situational awareness capabilities.
In this talk, we explore recent and foreseen developments in the world of SBOMs and discuss how a Bill-of-Materials can be utilized in mature security posture management processes such as risk identification, supply chain security management, digital twinning, attack graph generation, and more.
