한국어
1. Overview
SBOM(Software Bill of Materials) is a machine-readable inventory list that includes information about software components and their dependencies. An SBOM contains details such as the names and versions of components, as well as developer information. It can cover not only OSS(Open Source Software) but also Proprietary Software.
By enabling the sharing of SBOMs across organizational boundaries throughout the software supply chain—from upstream to downstream—transparency in the software supply chain can be significantly improved. Consequently, SBOMs are being recognized as an important solution for addressing challenges related to software component vulnerability management.
For this reason, countries such as the United States and Japan have been actively implementing policies and pilot projects for SBOM Implementation, particularly in the medical device and automotive industries.
The U.S. National Telecommunications and Information Administration (NTIA) conducted pilot projects in 2018, followed by mandates under the 2021 U.S. Presidential Executive Order and the EU Cybersecurity Act, requiring SBOM compliance by software developers. Similarly, Japan’s Ministry of Economy, Trade and Industry (METI) has been promoting SBOM Implementation through pilot projects—first in the automotive sector in 2021 and later in the medical device sector in 2022.
The benefits of SBOM Implementation include vulnerability management, license management, and productivity improvement. Additional indirect advantages include more efficient end-of-life (EOL) management for software and enhanced product and corporate value.
This article introduces a practical SBOM Implementation checklist that outlines key considerations for organizations planning to implement SBOMs.
2. SBOM Implementation
This section summarizes the basic guidelines, processes, and implementation checklists for SBOM Implementation based on the “Guidelines for Introducing SBOM for Software Management” published by Japan’s Ministry of Economy, Trade and Industry in 2024.
2.1. Key Considerations Before SBOM Implementation
Before the Implementation of SBOM, it is essential to determine the scope of software to be documented and to clarify the organizational challenges to be addressed through SBOM implementation. Based on this, enterprises should define the purpose of SBOM Implementation.
The scope of SBOM application—such as required fields, format, extent of creation, and sharing range—varies significantly depending on the purpose of Implementation. Therefore, enterprises should first identify their internal challenges in software management, clearly define the purpose of SBOM implementation, and then proceed with the creation, operation, and management of SBOM accordingly.
2.2. SBOM Implementation Process
The SBOM Implementation process can be divided into three main phases: Environment Development and System Preparation, SBOM Creation and Sharing, SBOM Operation and Management.
In the Environment Development and System Preparation phase, the scope of SBOM Implementation is clarified, and the environment and structure required for SBOM creation and sharing are established. In the SBOM Creation and Sharing phase, the actual SBOM is generated and shared externally as necessary. Since SBOM serves as a method for software management, it is not only the creation but also the proper utilization and management of SBOM that are important. Therefore, during the Operation and Management phase, SBOM should be used for effective vulnerability and license management while maintaining proper oversight of the SBOM data itself.
The three phases of the SBOM Implementation process can be summarized as follows:
SBOM Implementation Process
|
Phase |
Step |
Implementation details |
|
Environment Development and System Preparation |
Clarification of SBOM Scope |
Identify and organize information about the target software (programming languages, contract type, regulatory requirements, internal constraints, etc.) to clearly define the scope of SBOM application. |
|
Selection of SBOM Tool |
Define evaluation criteria for selecting SBOM tools based on the target software’s development language and internal organizational constraints, and evaluate and select suitable tools accordingly. |
|
|
Installation and Configuration of SBOM Tool |
Review manuals or README files to install and configure the selected SBOM tool properly. |
|
|
Learning and Training on SBOM Tool |
Review manuals or README files to understand how to use the tool and acquire operational proficiency. |
|
|
▼ |
|
|
|
SBOM Creation and Sharing |
Component Analysis |
Analyze the components of the target software using the SBOM tool and verify that the analysis results contain no false positives or omissions. |
|
SBOM Creation |
Define SBOM requirements such as items, format, and output file type, and generate the SBOM accordingly. |
|
|
SBOM Sharing |
Determine and implement appropriate methods for sharing the SBOM with users or clients of the target software, as necessary. |
|
|
▼ |
|
|
|
SBOM Operation and Management |
Vulnerability and License Management Based on SBOM |
Use SBOM data to perform appropriate actions for vulnerability mitigation and license compliance management. |
|
SBOM Data Management |
Appropriately manage both the information contained within the SBOM and the SBOM itself. |
3. SBOM Implementation Checklist
Based on the SBOM Implementation process, the following checklist is designed to guide enterprises through each phase—environment setup, SBOM creation and sharing, and SBOM operation and management. Enterprises planning to introduce SBOM should utilize this checklist to ensure that their implementation is appropriately tailored to their organizational needs.
-
- Environment Development and System Preparation Phase
In the ● Clarification of SBOM Scope stage, enterprises should first confirm details such as the development language, component types, and development tools of the target software. They should also ensure that the structure of the target software is clearly documented and visualized, while verifying contractual arrangements and transaction practices between the users and suppliers of the software. In addition, it is necessary to confirm any regulatory or contractual requirements related to SBOM, identify organizational constraints such as cost limitations, and clearly define the scope of SBOM application using the 5W1H framework. Enterprises must also confirm whether the requirements and responsibilities regarding SBOM between counterparties in procurement or supply agreements have been clearly defined.
In the ● Selection of SBOM Tool stage, enterprises should establish evaluation criteria that take into account the development language of the target software and internal organizational constraints, and, based on these criteria, evaluate and select multiple candidate SBOM tools before finalizing their choice.
In the ● Installation and Configuration of SBOM Tool stage, enterprises must verify whether the environmental requirements for installing the SBOM tool are satisfied and confirm, by reviewing manuals or README files, that the installation and configuration of the tool can be appropriately conducted.
In the ● Learning and Training on SBOM Tool stage, organizations should verify whether users have studied manuals or README files to acquire proficiency in using the SBOM tool and whether knowledge of its functions and operational know-how have been documented and shared internally.
3.2 SBOM Creation and Sharing Phase
In the ● Component Analysis stage, it should be verified whether the target software has been scanned using an SBOM tool to analyze component information, whether any interruptions occurred due to errors or insufficient data, and whether the analysis was performed correctly without false detections or omissions. Furthermore, enterprises should determine the requirements of the SBOM, such as the fields, format, and output file type, and confirm that the SBOM has been created using the SBOM tool in accordance with these requirements.
In the ● SBOM Creation stage, enterprises should clarify who is responsible for which parts of the process and to what extent, across the supply chain, and ensure that these roles and responsibilities have been agreed upon between the relevant parties. They should also review the method of SBOM sharing with users or clients of the target software and confirm that the SBOM is shared as necessary.
In the ● SBOM Sharing stage, it is recommended to confirm whether the use of electronic signature technologies or equivalent mechanisms to prevent unauthorized modification of SBOM data has been considered.
3.3 SBOM Operation and Management Phase
In the ● Vulnerability and License Management stage, enterprises should confirm whether vulnerability responses are carried out based on the output of the SBOM tool, including severity assessment, impact evaluation, remediation, residual risk assessment, and information sharing with relevant institutions. It is also advisable to verify whether simple filtering of non-critical vulnerabilities is performed, whether the existence of security incidents or exploit code disclosure has been reviewed, and whether information such as VEX (Vulnerability Exploitability Exchange) data or CVSS (Common Vulnerability Scoring System) scores has been appropriately utilized to prioritize vulnerability responses based on cost-effectiveness.
For the sharing of vulnerability information, enterprises should confirm whether additional information required for timely vulnerability responses has been identified, whether the supply-chain partners involved in information sharing have been clearly defined, and whether the means of information sharing have been properly determined to enable information exchange as necessary.
In terms of vulnerability handling, it should be verified whether both initial responses that do not involve remediation and fundamental responses that include vulnerability fixes are implemented. Regarding license management, enterprises should confirm, based on SBOM output, that there are no OSS license violations.
Finally, in the ● SBOM Data Management stage, enterprises should confirm whether the created SBOM, including its revision history, is appropriately retained for a certain period for reference in case of external inquiries, and whether both the information contained within the SBOM and the SBOM data itself are properly managed and protected.
4. Conclusion
When enterprises plan to introduce SBOM, it is desirable that they refer to the Implementation process explained in this document to design a process suitable for their own organization, establish verification items accordingly, and create an implementation checklist based on these items. The SBOM Implementation process and checklist introduced in this document are intended only as general reference materials. Therefore, each enterprise should develop more detailed and appropriate SBOM Implementation processes and checklists that take into account their own environments, including development, utilization, compliance, and management aspects. It is expected that through such efforts, enterprises will successfully implement SBOM in a way that enhances their software management and supports stronger governance of their software assets.
