SBOM Reliability
Not to long ago, my friend and colleague, Phil Venables (Google’s Strategic Security Advisor, among other things) recommended a paper written by three professors from the University of California at Riverside (Sheng Yu, Wei Song, Xunchao Hu, Heng Yin) that calls into question the reliability and effectiveness of of the current state of SBOMs. An SBOM is a formal record containing the details and supply chain relationships of various software components. I wrote about them in my Cybersecurity First Principles Book.
SBOMS: A Tactic for Your Zero Trust Strategy
If your infosec program’s primary strategy is Zero Trust, you’re trying to reduce the access of all network entities (people, devices, and software) based on one rule: need to know. To do that, you have to continuously verify their identity (who or what they are) and authorization (what does the organization sanction their access to). Putting the people and devices aside for a later discussion, you can’t really achieve Zero Trust without the software component. You need it for both commercial-off-the-shelf and home grown, to include all of the open source components.
Here’s an example of why that’s important. When the log4j zero day exploit emerged back in December 2021, the time consuming piece to everybody’s mitigation plan was finding, with certainty, all the running log4j instances in the environment. Since SBOMs are lists of nested software components designed to enable supply chain transparency, infosec professionals would know exactly where each instance of log4j was running, so the theory goes,
SBOMS - Reliable and Efficient?
Which brings us back to Phil’s recommended paper by the Riverside team. They included four SBOM tools in their study: Trivy, Syft, Microsoft SBOM Tool, and GitHub’s Dependency Graph. They were not happy with what they found.
They generated SBOMs for 7,876 open-source projects and found that all four
produce inconsistent, incomplete, and potentially inaccurate SBOMs.
were prone to parser confusion attacks that could hide malicious, vulnerable, or illegal packages.
poorly handled transitive dependencies, raw metadata parsing, and version constraints.
SBOMs are 5-10 Years from the Plateau-of-Productivity
To be fair, the concept of SBOMs is relatively new. Standards, like the the Software Package Data Exchange (SPDX), didn’t start emerging until about 2010, the same year that John Kindervag published his revolutionary paper inventing zero trust: “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security.”
Volunteers to the SBOM effort made progress for sure but there really wasn’t any industry or government incentives to drive the effort faster. NIST introduced SWID Tags in 2015 and OWASP introduced CycloneDX in 2017. And then, the one-two punches of the Solarwinds and log4j attacks reminded everybody of the importance of software supply chain security.
Because of those two events, in 2021, President Biden mandated SBOMs for all U.S. federal software procurement in his Executive Order 14028 and later expanded the rules with his Executive Order 14144 in 2025 just before he left office. I said in my book that his first executive order would probably build some momentum and indeed it has. But, we are still in the early innings (Look everybody, a sports metaphor).
Gartner, a global research and advisory company that is famous for Magic Quadrants and hype charts, in 2024, placed SBOM technology as just cresting the Peak-of-Inflated-Expectations and starting its descent into the Trough-of-Disillusionment. The Riverside research team’s paper is just one proof point of this. Gartner analysts forecast 5-10 years before SBOMS reach the Plateau-of-Productivity.
Take Aways
This doesn’t mean that the concept is bad and that we shouldn’t pursue it. The Gartner Hype Chart shows us that all new technology goes through this pattern. It just means that it’s not ready yet. We need it, or something very close to it, in order to pursue our zero trust strategy.
But unless you’re a Fortune 500 company with bags of money lying around scooped out of the couch cushions from the corporate sponsored cafeteria, or you’re a big government trying to incentivize positive change, SBOMs are probably not your first choice today if you’re trying to reduce the probability of material impact due to a software supply chain event in the near future.
I would concentrate on the other two legs of the zero trust three-legged stool: people and devices. You probably have a lot more to do on those pieces anyway. Remember, for every resource you spend on your infosec program, you should be able to demonstrably buy down risk. In its current state, SBOMs will likely not be the best bet.
Source
Sheng Yu, Wei Song, Xunchao Hu, Heng Yin, 2024. On the Correctness of Metadata-based SBOM Generation: A Differential Analysis Approach [Paper]. University of California Riverside - 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). URL https://www.cs.ucr.edu/~heng/pubs/sbom-dsn24.pdf
References
Alvaro Iradier Muro, 2022. SBOMs 101: What You Need to Know [History]. DevOps.com. URL https://devops.com/sboms-101-what-you-need-to-know/
John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [Paper]. Palo Alto Networks. URL https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
Katie Teitler-Santullo, 2024. Five Gartner Reports. Four Categories. What Does OX Security Do Anyway? [Analysis]. OX Security. URL https://www.ox.security/five-gartner-reports-four-categories-what-does-ox-security-do-anyway/
Kim Zetter, 2023. SolarWinds: The Untold Story of the Boldest Supply-Chain Hack [History]. WIRED. URL https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/
Luca Galante, 2024. Hype to Reality: Platform engineering wins in 2024 [Analysis]. Platform Engineering. URL https://platformengineering.org/blog/hype-to-reality-platform-engineering-wins-in-2024
Michael Hill, 2025. The Apache Log4j vulnerabilities: A timeline [Explainer]. CSO Online. URL https://www.csoonline.com/article/571797/the-apache-log4j-vulnerabilities-a-timeline.html
Phil Venables, 2025. SBOMS [Social Media Post]. LinkedIn. URL https://www.linkedin.com/posts/philvenables_think-the-tools-you-are-using-for-sbom-generation-activity-7335343148522463232-7Qce/
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1
Staff, ND. Github dependency graph [Documentation Page] GitHub. URL: https://docs.github.com/en/code-security/ supply-chain-security/understanding-your-software-supply-chain/ about-the-dependency-graph
Staff, ND. Microsoft sbom tool [Open Source Code Repository] GitHub. URL: https://github.com/microsoft/sbom-tool
Staff, ND. Syft. [Open Source Code Repository] GitHub. URL: https://github.com/anchore/syft
Staff, ND. Trivy. [Home Page] aquaTrivy. URL: https://trivy.dev/