TLDR:
- Software bills-of-materials (SBOMs) are being used by attackers to search for vulnerable software.
- SBOMs contain detailed information about software components, making it easy for attackers to exploit vulnerabilities.
Government and security-sensitive companies are increasingly requiring software makers to provide them with software bills-of-material (SBOMs) to increase transparency and visibility in the software industry. Larry Pesce, a director at Finite State, warns about the risks of SBOMs falling into the wrong hands, as attackers can easily identify vulnerabilities in software components. Pesce argues that SBOMs can be used by attackers to search for specific vulnerabilities in a database of SBOMs, making it easier for them to exploit software flaws.
Efforts are underway to make SBOMs a standard practice, with more than half of companies already requiring SBOMs for applications. Pesce suggests that SBOMs could be used for offensive purposes, allowing attackers to determine what applications might be vulnerable to specific vulnerabilities. He also highlights the importance of red teaming and incorporating SBOMs into vulnerability management programs.
While some may argue that SBOMs should only be shared with customers, Pesce believes that limiting the publication of SBOMs will be challenging, as they are likely to leak to the public. The widespread availability of tools to generate SBOMs from binaries and source code further complicates the effort to restrict their publication.