Sign In

Communications of the ACM

ACM News

SBOM: An Up-Close Look at a Software Bill of Materials

View as: Print Mobile App Share:
Multiple Software Bill of Materials are produced at different levels of the software stack.

A software bill of materials is a list of the base elements (such as code libraries) used to create a product.


Unless you've been living under a rock the past few years, you've likely at least heard of Log4j. This is an Apache open source library that's commonly used in just about everything Java-related online. Unfortunately, in late 2021 the logging package was discovered to be critically vulnerable to remote code execution attacks, meaning an attacker could exploit it to install malware (e.g., ransomware) onto vulnerable systems and inject larger networks.

Cloudflare CEO Matthew Prince reported on Twitter that there were 400 confirmed exploit attempts per second. But that's just one estimate — according to The Washington Journal, Akamai Technologies said it observed 10 million such exploit attempts per hour. Research from Check Point also showed that the attackers were rolling out new variants of the exploits — more than 60 in under 24 hours.

That's a lot of exploits and a lot of variations to boot. Considering that the Log4j vulnerability affected major companies like Amazon, Apple, and IBM, it's no surprise that it had companies globally worried.

But what makes the situation particularly concerning is that many companies weren't aware that the products they use contained such vulnerable elements. If only there was a way that organizations could know exactly what components are part of the software they use… Oh, wait, there is: they could use products that come with a software bill of materials (SBOM).

From hashedout by The SSL Store
View Full Article



No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account