Secure Supply Chain Management in DevOps: Addressing Software Bill of Materials (SBOM) Risks
DOI:
https://doi.org/10.63282/3050-922X.IJERET-V6I2P115Keywords:
SBOM, Software Bill Of Materials, Software Supply Chain Security, Devsecops, SPDX, Cyclonedx, VEX, SLSA, Dependency Management, Vulnerability Disclosure, Sigstore, In-Toto Attestation, Pipeline Security, Open Source RiskAbstract
The software supply chain has become one of the most actively exploited attack surfaces in enterprise technology, and the events of the past four years have transformed what was once a theoretical concern into a documented operational reality. The Software Bill of Materials a structured inventory of every component, library, and dependency that comprises a software artifact has emerged as the foundational mechanism for supply chain risk visibility. Yet generating an SBOM is only the beginning of the challenge. Using it effectively, keeping it accurate, integrating it into active DevOps workflows, and deriving security decisions from it at pipeline speed requires an architectural and organizational investment that most organizations have not yet made. This paper examines how fourteen engineering organizations approached SBOM generation, management, and operationalization across a nineteen-month study period from April 2023 through October 2024. We analyze SBOM completeness rates, pipeline integration depth, vulnerability-to-remediation lead times using SBOM-informed workflows, and the organizational barriers that most consistently limit SBOM program effectiveness. Results demonstrate that organizations with mature SBOM integration reduce known-vulnerability exposure windows by an average of 71% compared to those relying on traditional reactive scanning approaches. We propose a five-stage SBOM maturity model and offer practical guidance for security and DevOps practitioners navigating the transition from SBOM generation to SBOM operationalization.
References
[1] Thompson, K. (1984). Reflections on Trusting Trust. Communications of the ACM, 27(8), 761-763.
[2] Ohm, M., Plate, H., Sykosch, A., & Meier, M. (2020). Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. Proceedings of the 17th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).
[3] Executive Office of the President. (2021). Executive Order 14028: Improving the Nation's Cybersecurity. Federal Register, 86(93), 26633-26641.
[4] NTIA. (2021). The Minimum Elements for a Software Bill of Materials (SBOM). National Telecommunications and Information Administration, U.S. Department of Commerce.
[5] CISA. (2023). VEX Use Cases: Minimum Requirements for Vulnerability Exploitability eXchange. Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security.
[6] SPDX Project. (2024). SPDX 3.0 Specification. Linux Foundation. https://spdx.github.io/spdx-spec/v3.0/
[7] OWASP CycloneDX. (2024). CycloneDX Specification v1.6. OWASP Foundation. https://cyclonedx.org/specification/overview/
[8] Birsan, A. (2021). Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. Medium Security. February 9, 2021.
[9] Sigstore Project. (2024). Cosign and Rekor: Keyless Container Signing and Transparency Logs. https://docs.sigstore.dev/
[10] Open Source Security Foundation. (2023). SLSA v1.0: Supply Chain Levels for Software Artifacts. https://slsa.dev/spec/v1.0/
[11] in-toto Authors. (2023). in-toto: A Framework to Secure the Integrity of Software Supply Chains. https://in-toto.io/
[12] Anchore Inc. (2024). Syft: A CLI Tool and Go Library for Generating an SBOM from Container Images and Filesystems. https://github.com/anchore/syft
[13] Aqua Security. (2024). Trivy: A Comprehensive Security Scanner. https://github.com/aquasecurity/trivy
[14] Open Source Vulnerability Database. (2024). OSV: A Distributed Vulnerability Database for Open Source. https://osv.dev/
[15] NIST. (2024). National Vulnerability Database (NVD). National Institute of Standards and Technology. https://nvd.nist.gov/
[16] Freund, H., & Voss, R. (2024). The XZ Utils Backdoor: Timeline, Technical Analysis, and Supply Chain Implications. USENIX Security 2024 Supplementary Materials.
[17] Enck, W., & Williams, L. (2022). Top Five Challenges and Associated Research Directions for DevSecOps. IEEE Security & Privacy, 20(3), 76-82.
[18] Wheeler, D. A. (2015). Fully Countering Trusting Trust through Diverse Double-Compiling. George Mason University Technical Report.
[19] Sonatype. (2024). 10th Annual State of the Software Supply Chain Report. Sonatype Inc.
[20] Manion, A., & Waltermire, D. (2023). Software Identification (SWID) Tagging and SBOM: A Practitioner's Comparison. NIST Internal Report 8060.
