#KEYMASTER: The Rise of SBOMs – A Growing Necessity

The Evolving Landscape of Software Bill of Materials (SBOMs)

In this episode of #KEYMASTER, we explore the evolving landscape of Software Bill of Materials (SBOMs). Our guest, Olle E. Johansson, is an experienced and appreciated speaker, teacher, open source developer, and consultant who brings valuable insights when discussing SBOMs with Sven Rajala, Keyfactor’s international PKI man of mystery,

SBOMs are frequently discussed today and often presented as a silver bullet for solving software security problems. In reality, they are a crucial but complex piece of the puzzle.

An analogy can be drawn to food labeling to illustrate the importance of transparency in software components. Just as someone with lactose intolerance relies on labels to avoid dairy, understanding software components is essential to mitigate risks. If you – for some reason – need to know if a certain software component exists in a product, it would be nearly impossible without an SBOM. Just as difficult as it would be to identify allergens without ingredient lists.


Watch video on YouTube

SBOMs as a Source of Truth

Understanding vulnerabilities, such as Log4j, and managing software dependencies require a reliable way to track components and prioritize risks. However, the current SBOM landscape is still in its infancy, with different types emerging:

• Source Code SBOMs: Generated from raw code repositories.
• Build SBOMs: Created during the build process, capturing compilers, test tools, and dependencies.
• Deliverable SBOMs: Provided by vendors with software products.

SBOM scanners are becoming more available, but their outputs vary significantly. Some enterprises manually curate their own "source of truth," using alerts to detect discrepancies between scanner results and known software inventories.

SBOMs, Compliance, and Risk Management

Beyond security, SBOMs have roots in open-source license compliance, addressing challenges like managing thousands of dependencies with different licensing requirements. Organizations have faced legal challenges due to GPL violations, making SBOMs an essential tool for both risk management and regulatory adherence.

With the introduction of legislation like the EU Cyber Resilience Act, SBOMs are becoming a regulatory requirement. The concept of cost per dependency highlights that while open-source software may be free to acquire, it comes with long-term management costs.

The Future of SBOMs: Automation and Standardization

The fragmented availability of SBOMs—sometimes buried in documentation pages, sometimes accessible in OCI registries—creates challenges for organizations trying to automate their software supply chain security.

Efforts like OWASP Transparency Exchange API aim to establish an ECMA standard for discovering and retrieving SBOMs and related artifacts, such as C-SBOMs, CSAF, and VEX files. This initiative seeks to reduce manual effort and integrate SBOMs seamlessly into development workflows.

Looking Ahead: VEX and Continuous Conversations

As SBOM adoption grows, discussions around VEX (Vulnerability Exploitability eXchange) are gaining traction, shaping how organizations assess and act on software vulnerabilities. With an insightful discussion, this session provides a clearer understanding of SBOMs, their challenges, and their potential to enhance software transparency, security, and compliance.

Stay tuned for more #KEYMASTER episodes as we continue exploring critical security topics!

Read more about SBOMs and Supply Chain Security

• CycloneDX: The International Standard for Bill of Materials (ECMA-424)
• System Package Data Exchange (SPDX): An open standard for communicating SBOM information
• Types of Software Bill of Materials (SBOM) by CISA
• CycloneDX Transparency Exchange API on GitHub
• Blog: Securing the Software Supply Chain – Digital Trust in an Untrusting World

About Olle E. Johansson

Olle E. Johansson

Experienced Open Source developer and consultant. Co-founder of SBOM Europe.

Olle E. Johansson is an experienced and appreciated speaker, teacher as well as an Open Source developer and consultant. He is currently project lead for OWASP Project Koala, developing the Transparency Exchange API (TEA), member of the CycloneDX industry working group, the OWASP SBOM Forum, co-founder of SBOMEurope.eu and a leader for the DNS TAPIR Open Source project.

While not trying to save the world with SBOMs, he is helping clients with the journey towards CRA compliance as a consultant in his company Edvina AB. Once a year, he organises the Nordic Software Security Summit conference in Stockholm, Sweden. Olle has been a core developer of Asterisk - the Open Source PBX, part of the core team in Kamailio.org and is currently also a member of the team that tries to put some new energy into SoftHSM.org.