The US Whitehouse Executive Order 14028 brought the Software Build of Materials (SBOM) into the limelight in a big way. Over the last ten years, a number of industrial efforts, such as SPDX, CycloneDX, and SWID, have sought to standardize machine readable formats of the SBoM for modern environments. Conceptually, an SBoM is just like what it sounds, a list of all the code and build dependencies (and ideally version information) that went into creating a software product. A key aspect of an SBOM is to provide transparency. Assuming the SBOM is automatically created during the build process, a software consumer can remove trust in the organization providing the software.

There are well-founded concerns that current SBOMs are largely a compliance exercise. However, efforts at establishing standards and requirements for SBOMs have the potential to lay the ground work for innovative security enhancements that leverage the SBOM. We need to create and automate metrics that are verifiable, meaningful, non-game-able, and attestation-able with the ability to demonstrate adherence to security policies.