1 Introduction / Executive Summary
Attacks via vulnerabilities in commonly used standard libraries such as Log4j have posed major security challenges in recent years. The Software Bill of Materials (SBOM) concept, which is already mandatory in the US and will also come with the EU CRA, is designed to provide the information so that companies know what components are in what software so that they can better respond to attacks and vulnerabilities.
In recent years, there have been targeted attacks on the software supply chain, affecting vendors like SolarWinds and Kaseya. Additionally, identified vulnerabilities in widely used open-source libraries, such as Heartbleed in OpenSSL in 2014 and Log4j in 2021, have impacted numerous systems. These incidents occurred both through the distribution of infected software and the exploitation of vulnerabilities affecting many systems. In May 2021, the USA introduced the obligation to provide an SBOM through the "Executive Order on Improving the Nation’s Cybersecurity." The EU is in the process of approving the draft CRA, which also includes provisions for SBOM. In Germany, the Federal Office for Information Security (BSI) published Technical Guideline TR-03183 Part 2 in August 2023, focusing on Cyber Resilience requirements and specifically SBOM. The first part, covering general requirements, is expected to be released by the end of 2023. This highlights the concrete need for action for all companies producing and distributing software as a standalone product or as part of products such as electronic devices or machinery. Simultaneously, the SBOM concept offers every company the opportunity to better understand and manage their attack surface, allowing for quicker and more effective responses to threats.