词条 | Software bill of materials |
释义 |
A software bill of materials (software BOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The software BOM describes the components in a product.[1][2] It is analogous to a list of ingredients on food packaging. The concept of a BOM is well-established in traditional manufacturing as part of supply chain management.[3] A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products. A software BOM is useful both to the builder (manufacturer) and the buyer (customer) of a software product. Builders often leverage available open source and third-party software components to create a product; a software BOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.[4] Buyers can use a software BOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Many companies are using Microsoft Excel[5] for BOM management, or their BOM software. Efficient prior to 2010 before online tools streamline the process, there are additional risks and issues using a spreadsheet. Understanding the supply chain of software, obtaining a software BOM, and using it to analyze known vulnerabilities are crucial in managing risk.[6][7][8] The Cyber Supply Chain Management and Transparency Act of 2014[9] is pending{{When|date=March 2018}} US legislations that requires government agencies to obtain software BOMs for any new products they purchase. It also requires obtaining software BOMs for "any software, firmware, or product in use by the United States Government". References1. ^{{cite web |url=http://www.crosstalkonline.org/storage/issue-archives/2012/201203/201203-Croll.pdf |format=PDF |title=Securing A Mobile World |publisher=Crosstalkonline.org |access-date=2015-06-12}} 2. ^{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part2/ |title=[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12}} 3. ^{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part1/ |title=Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12}} 4. ^{{cite web |url=http://embedded-computing.com/article-id/?3826= |title=Software Bill of Materials improves Intellectual Property management |work=Embedded Computing Design |access-date=2015-06-12}} 5. ^{{cite web |url=https://www.arenasolutions.com/resources/articles/excel-bill-of-materials/ |title=Using Excel for Bill of Materials (BOM) Management |access-date=2018-08-02}} 6. ^{{cite web |url=http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf |format=PDF |title=Appropriate Software Security Control Types for Third Party Service and Product Providers |publisher=Docs.ismgcorp.com |access-date=2015-06-12}} 7. ^{{cite web |url=https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities |title=Top 10 2013-A9-Using Components with Known Vulnerabilities |access-date=2015-06-12}} 8. ^{{cite web |url=https://www.cert.gov.uk/wp-content/uploads/2015/02/Cyber-security-risks-in-the-supply-chain.pdf |format=PDF |title=Cyber-security risks in the supply chain |publisher=Cert.gov.uk |access-date=2015-06-12}} 9. ^{{cite web |url=https://www.congress.gov/bill/113th-congress/house-bill/5793|title=H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress |access-date=2015-06-12}} 3 : Supply chain management|Software project management|Software development process |
随便看 |
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。