Cisco is proud to announce the general availability of an entirely new capability in the software industry and a first for Cisco: the distribution of SPDX-formatted Software Bill of Materials (SBOMs). SBOMs are a crucial step forward in providing visibility and ultimately, greater resilience across the entire software supply chain. As of June 2023, most customers and partners can request an SBOM for any supported on-premise Cisco software released after September 2022.
I have blogged about Cisco’s commitment to transparency, specifically our support for SBOMs and our desire to collaborate across the software community to build the next generation of transparency. Today, Cisco stands ready to distribute SBOMs. This comes before other large technology vendors, ahead of the forthcoming government mandates, to customers outside of the public sector, and in a standardized, machine-readable format. Considering the shared complexities across the software industry, this is an important moment to recognize in our march toward software transparency that reduces risk.
The idea of an SBOM is deceptively simple, a machine-readable data format for organizing metadata describing the composition of software artifacts. SBOMs document the third-party software components contained in a downloadable software image. Cisco customers can download and use software in many ways, including client applications that run on end-user devices (e.g., Cisco Secure Client with AnyConnect), hardware-based appliances with applications running on Cisco-maintained operating systems (e.g., Identity Services Engine), virtualized applications that run in customers’ data centers or public cloud environments (e.g., Intersight), and network operating systems that power Cisco routers, switches, and firewalls (e.g., IOS XE, IOS XR, Nexus OS, FTD). The pervasiveness and scale of software across networks combined with decades of software evolution highlights the incredible complexity that SBOMs are attempting to overcome.
The novelty of SBOMs is in standardizing how dependency metadata is documented; Cisco can make software dependency information which was previously only used internally useful for customers and organizations beyond Cisco. Sharing SBOMs across organizational boundaries provides customers with visibility into a software vendors’ upstream dependencies. Distributing SBOMs to our customers and partners underscores Cisco’s commitment to software transparency that both improves software supply chain resiliency and reduces cascading risk.
I often describe the software supply chain graph to illustrate the complexities that make documenting SBOMs an intricate problem shared across the software industry. Several factors have contributed to Cisco’s ability to deliver on this commitment, which we believe will help your organization to adopt SBOMs:
While this is a significant step forward, industry is early in this SBOM journey, and at Cisco we continue to identify areas to improve. To accelerate adoption, SBOMs must be natural biproducts of the software build process. Software build environments are the manufacturing lines for products. Breaking the build process by instrumenting new tools or updating libraries can have significant economic repercussions. It will take time for SBOM tooling to become stable, scalable, and available across programming languages, version control systems, compilers and linkers, CI/CD and pipeline automation tools, and packaging ecosystems. General availability of these tools is necessary to minimize human intervention as we aim to improve the accuracy and completeness of SBOMs.
Additional work in standardizing the distribution, consumption, and analysis of SBOMs alongside other datasets is also necessary. We welcome your comments and encourage you to consider the following two questions:
Learn more about SBOMs at Cisco.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels