SAP Logo LeanIX is now part of SAP

SBOMs: A 3-Step Guide For Detecting Software Vulnerabilities

Posted by Neil Sheppard on July 6, 2023

SBOMs A 3-Step Guide For Detecting Software Vulnerabilities

SBOMs are rapidly becoming an essential tool for discovering open-source software risk. Read our simple, three-step guide to software vulnerability remediation.

Software bills of materials (SBOMs) are like ingredients lists for the software that you use or produce. Just as a food recipe informs people with allergies whether the food is safe, an SBOM identifies open-source software risk.

This utility is already making SBOMs a software supply chain security (SSCS) standard. The US government has issued an executive order calling on all its software vendors to submit SBOMs, and the UK and EU are following suit.

Yet, to properly leverage SBOMs, you need a system to store and organize them into a library so you can call up the right information you need for software vulnerability remediation. The LeanIX VSM is the ideal product to leverage SBOMs to improve your software supply chain security.


Let's look more closely at how you can use SBOMs and our VSM to reduce open-source software risk.

Step 1: Create SBOMs For Your Software

Software bills of materials (SBOMs) aren't the first method of documenting open-source software risk. What's different with SBOMs, however, is that they're a universal standard method of documentation that can be shared across systems.

Any software your customers use should, therefore, be able to process your SBOMs and provide the insights and validation they need. Whether SBOMs become a regulatory requirement in the future or not, they're already acting as a guarantee to your customers that your software is secure.

SBOM Standards

There are two main standards for SBOM creation:

  1. SPDX - Software Package Data Exchange is an SBOM standard created by Linux and approved by the International Organization for Standardization (ISO), which focuses on license compliance
  2. Cyclone DX - an open-source SBOM standard created by the Open Web Application Security Project (OWASP) to support software developers with software vulnerability remediation

It's up to you which standard you use and the two are largely interchangeable. However, SPDX is a comprehensive system that was originally designed for license compliance, while CycloneDX is a lightweight version, specifically designed for SBOM creation to manage open-source software risk.

Tools For SBOM Creation

Whichever SBOM standard you use, there are a variety of tools available that will automate the process for you. Most are able to create SBOMs to either standard.

Popular tools include:

Any of these tools will serve to create SBOMs to your specifications. Then, since it is a standard format, SBOMs can be shared with any of your customers and used internally for software vulnerability remediation.

Yet, SBOMs have little use on their own. To leverage SBOMs, both you and your customers need a tool to store, collate, and index them, so you can retrieve the information you need quickly.

Step 2: Feed SBOMs Into A Library Catalog

Software bills of materials (SBOMs) are essential tools for managing open-source software risk. However, to make use of them, you need a system that can scan and analyze their information.

That's where the LeanIX VSM comes in. The VSM can ingest all of your SBOMs and store them in a Library Catalog that it can search and offer insight into.

Building around your SBOMs, your Library Catalog within our VSM will give you a real-time inventory of your services and the teams responsible for them. It also includes powerful out-of-the-box integrations and easy-to-use application programming interfaces (APIs) to connect VSM to the rest of your toolset.

The VSM will auto-discover information about the teams, technology, and products in your development organization, including:

  • Runtime environments
  • Version control
  • Continuous integration/continuous development (CI/CD) pipeline
  • Source code repositories

The LeanIX VSM empowers you to understand at a glance which services are dependent on a specific library, which teams are responsible, and which products use the service. This allows you to fully leverage SBOMs and all their software supply chain security (SSCS) capabilities, both for within your organization and to share with your customers.


Step 3: Track Your Open-Source Software Risk

Once stored within your Library Catalog, the LeanIX VSM can scan through all your software bills of materials (SBOMs) for open-source software risk. The system will also link with a variety of software development tools to identify and prioritize areas for software vulnerability remediation based on the four DevOps Research and Assessment (DORA) metrics:

  1. Deployment frequency
  2. Change lead time
  3. Change failure rate
  4. Time to restore service

The VSM will automate the creation of end-to-end transparency across your software supply chain. We don't charge for each license, so relevant information will be immediately available to all the product owners, enterprise architects, and business leaders across your organization.

The VSM will also act as a shared source of truth to strengthen communication and collaboration between software engineers, cyber security teams, enterprise architects, and the rest of the business. Working together to improve your software supply chain security (SSCS) will ensure ongoing compliance and inspire confidence from your customers.

Use The LeanIX VSM To Leverage SBOMs

Software bills of materials (SBOMs) will soon be a vital part of regulatory expectations for cyber security. To take advantage of the software security superpowers that SBOMs provide, you need the right tool to organize and index them into a Library Catalog.

To fully leverage SBOMs, stay competitive in the market, and win the trust of your customers, you need the LeanIX VSM. To find out more, visit our product page:


Subscribe to the LeanIX Blog and never miss a post again!

Related Posts

Related Resources