SBOMs are also are a key point in the national cybersecurity plan developed by the Biden Administration andthis week. They not only tell organizations what components make up the software they're bringing in, but also what code is in there.
Its use was so broad that it touched most organizations, many of whom didn't know they were affected. Within weeks of the vulnerability coming to light, there were"Log4j is used in the vast majority of software," ArmorCode's Lambert said, adding that it highlighted the need for SBOMs."When [the flaw in] Log4j was identified, all of us were instantly exposed to the vulnerability. Log4j put everything into sharp focus. The problem has been there for a while.
"Unwinding large applications, from open-source operating systems, to in-house developed applications, to third-party 'shrink-wrapped' stacks is fraught with contextual challenges, inventory methods, and manual verification, all of which are prone to error," Masserini writes.