Introducing G2’s New Software Bill of Materials (SBOM) Category

At G2, our software development taxonomy is constantly evolving to represent emerging trends, new markets, and differentiated spaces.

As a compliment to our existing Software Composition Analysis category, we’re proud to introduce G2’s new Software Bill of Materials (SBOM) category.

Looming regulations require a software bill of materials (SBOM)

The overt purpose of SBOM solutions is rather intuitive—they automate the process of generating, ingesting, monitoring, and managing SBOMs. These solutions are hitting the market at a crucial time, as multiple governments are implementing regulations requiring the provision of a minimum SBOM for commercial software.

The EU’s Cyber Resilience Act, which is set for enactment imminently, states that “In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials (SBOMs)...manufacturer(s) should not, however, be obliged to make the software bill of materials public”.

Meanwhile, following President Biden’s executive order in May 2021, the US Department of Defense, General Services Administration, and NASA have proposed a new rule which would require “contractors to develop and maintain a software bill of materials (SBOM) for any software used in the performance of the contract regardless of whether there is any security incident”.

Question marks still surround the specifics of these requirements. As part of an emerging market, SBOM solutions are poised to help companies stay up to date with these requirements by automating the processes necessary for compliance. 

As the details of these regulations become clear in the coming weeks and months, buyers can expect providers in the SBOM solutions space to react accordingly. And with G2’s new category, finding the right SBOM solution will be easy!

SBOM vs. SCA

Buyers familiar with software composition analysis (SCA) tools may wonder what differentiates SBOM solutions from those in the existing space. 

Both types of tools allow companies to monitor, manage, and update their software components. Still, the use cases are quite different, as illustrated below.

Buyers familiar with SCA tools know that they excel at finding security vulnerabilities among open-source and third-party dependencies. SCA allows users to automate their component security processes by alerting users to issues and offering remediation suggestions. This process overlaps to some degree with the goals of an SBOM solution, and in many cases, SCA tools generate SBOMs incidentally.

However, SBOM solutions focus specifically on SBOM generation, ingestion, and management. They allow companies to maintain their SBOMs to ensure thoroughness, accuracy, and compliance. Security remediation is typically not part of the SBOM solution itself, though many platforms offer both SCA and SBOM functionality.

The relationship between SCA and SBOM can sometimes be thought of as a baton pass. First and foremost, companies must secure their software components with SCA. From there, they generate and manage SBOMs to transparently report their compliance to relevant governing bodies.

SBOM is a rapidly evolving space

As SBOM solutions providers work to ease the challenges presented by emerging regulations, buyers should keep an eye on this space. 

Government mandates related to SBOM requirements are still being shaped. However, buyers with a handle on effective SBOM governance will benefit by staying prepared for upcoming regulatory changes. With G2’s new SBOM category, buyers can find the solution that will help them stay ready.

Explore the latest trends in DevSecOps software to update your cybersecurity best practices.

Edited by Jigmee Bhutia