HOME

TheInfoList



Click Here for Items Related To - Software supply chain
OR:
Software supply chain on:   [Wikipedia]   [Google]   [Amazon]

A software supply chain is the components, libraries, tools, and processes used to develop, build, and publish a software artifact. A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...
and
proprietary software Proprietary software is computer software, software that grants its creator, publisher, or other rightsholder or rightsholder partner a legal monopoly by modern copyright and intellectual property law to exclude the recipient from freely sharing t ...
components. It is the software analogue to the traditional manufacturing BOM, which is used as part of
supply chain management In commerce, supply chain management (SCM) deals with a system of procurement (purchasing raw materials/components), operations management, logistics and marketing channels, through which raw materials can be developed into finished produc ...
.


Usage

An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities. Buyers and other stakeholders can use an SBOM to perform
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...
or license analysis, which can be used to evaluate and manage risk in a product. While many companies use a
spreadsheet A spreadsheet is a computer application for computation, organization, analysis and storage of data in tabular form. Spreadsheets were developed as computerized analogs of paper accounting worksheets. The program operates on data entered in c ...
for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.


Legislation

The Cyber Supply Chain Management and Transparency Act of 2014 was a failed piece of US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase and to obtain SBOMs for "any software, firmware, or product in use by the United States Government". The act spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017." The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021 ordered
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...
and
NTIA The National Telecommunications and Information Administration (NTIA) is a bureau of the United States Department of Commerce that serves as the President of the United States, president's principal adviser on Telecommunications policy of the U ...
to lay down guidelines for software supply chain management, including for SBOMs. The NTIA outlines three broad categories of minimum elements of SBOMs: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs). The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of
Software Composition Analysis Software composition analysis (SCA) is a practice in the fields of Information technology and software engineering for analyzing custom-built software applications to detect embedded open-source software and detect if they are up-to-date, contain ...
(SCA) solutions.


See also

*
Reproducible builds Reproducible builds, also known as deterministic compilation, is a process of compiling software which ensures the resulting binary code can be reproduced. Source code compiled using deterministic compilation will always output the same binary. ...
* Software Package Data Exchange * Software toolchain *
Supply chain attack A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. ...
*
Manifest file In computer programming, a manifest file is a Data file, file containing metadata for a group of accompanying files that are part of a set or coherent unit. For example, the files of a computer program may have a manifest describing the name, Soft ...
*
Dependency hell Dependency hell is a colloquial term for the frustration of some software users who have installed software packages which have dependencies on specific versions of other software packages. The dependency issue arises when several packages ha ...


References

{{Reflist Supply chain management Software project management Software development process