What does the software nomenclature (SBOM) mean?
The Software BOM (SBOM) is a document that provides details about the components used to create a software application. SBOMs are useful for identifying the most at-risk software applications when a third-party vulnerability is discovered.
SBOMs are created and maintained by software vendors and individual program authors. Ideally, a new SBOM should be created every time a new software version is released to the general public. The documentation provided by an SBOM can help stakeholders to:
- Gain greater visibility into software assets.
- Perform due diligence to assess risks.
- Identify and monitor potential regulatory compliance conflicts.
- Prioritize remediation options.
Techopedia explains the software nomenclature (SBOM)
The benefits of SBOMs apply to both software vendors and software consumers. The creation of shareable SBOMs is expected to play an increasingly important role in software lifecycle management, supply chain management, and software asset management.
Currently, there are three commonly used formats for creating and sharing SBOMs: SWID Tagging, SPDX, and Cyclone DX.
SWID marking – Software identification tags (SWIDs) contain information about a specific software product version. The Trusted Computing Group (TCG) and the Internet Engineering Task Force (IETF) both support SWID tags in their standards.
SPDX – Software Package Data Exchange® is an open standard for communicating information about software BOMs. The SPDX specification is also known as ISO / IEC 5962: 2021.
Cyclone DX – CycloneDX is a lightweight SBOM standard designed for use in application security contexts. Cyclone DX is managed by the CycloneDX Core working group with assistance from members of the Open Web Application Security Project® (OWASP).