SBOM 的重要性:解鎖聯網汽車生態系統中的軟體供應鏈資安

2023年8月15日
VicOne
SBOM 的重要性:解鎖聯網汽車生態系統中的軟體供應鏈資安

By Ling Cheng (Senior Product Marketing Manager)

In today’s interconnected world, the security of software supply chains has become a paramount concern. As the software-defined vehicle (SDV) ecosystem continues to advance, the extensive use of open-source components highlights the need for robust security measures more than ever before. While third-party code streamlines the development process and accelerates time to market, it also introduces vulnerabilities whether the components are acquired or open-sourced.

According to NIST NVD statistics, there was a 25% increase in the number of vulnerabilities from 2021 to 2022. This brings the significance of software security to the fore as these often hidden risks not only pose threats to the connected car supply chain but also engender financial risks to OEMs — in light of the growing percentage of software-related recalls, which went up to 14% from 10% within a three-year span, according to a Sibros report.

When a newsworthy cyberattack occurs, stakeholders would like to know the following:

  • Impact assessment: How can they determine whether their vehicle or device is affected?
  • Component usage: Which areas of their business use the affected component?
  • Vulnerability exploitation: What is the impact if attackers exploit the vulnerability?
  • Mitigation: What steps should they take to mitigate the risks?

This kind of situation is where the importance of the software bill of materials (SBOM) comes into play.

SBOM: Enhancing software supply chain visibility

To address this growing concern about software supply chain risks, the concept of the SBOM emerged as a critical component in this evolving threat landscape. An SBOM is a comprehensive inventory of all software components and dependencies used in building a particular piece of software. It provides a detailed record of the components, their versions, and the relationships between them, essentially functioning as a list of parts for software. (Software Package Data Exchange or SPDX 2.3 provides essential information on SBOM formats.)

The three most important pieces of information in an SBOM are:

  • Component identification: This refers to the details about each software component, including its name, version, and unique identifiers.
  • Licensing information: This refers to the license details of the software components to ensure compliance with relevant licensing obligations.
  • Dependencies: This refers to information on the dependencies between components, including any open-source libraries or third-party software used.

When an incident occurs, the product security team can swiftly determine whether the product’s software has used any affected components or whether their versions match by using the aforementioned information. Moreover, such valuable information enables the security team to seamlessly trace and probe the entire supply chain. The team can promptly identify which products incorporate a specific open-source component and subsequently identify customers who have made purchases, thus enabling the team to immediately notify affected customers.

Benefits of using an SBOM

The increasing complexity and interdependence of software systems have made it difficult to track and manage the components that make up a software product. The use of an SBOM provides a structured approach to understanding the software supply chain by documenting its building blocks. It facilitates transparency and accountability in the development process, which are vital for security.

Stakeholders of the SDV ecosystem can take advantage of the benefits that the implementation of an SBOM brings, including:

  • Identifying vulnerabilities: Integrating an SBOM into the vulnerability management platform allows for automated checks against known, zero-day, and undisclosed vulnerabilities. This automated approach accelerates the identification of potential threats.
  • Licensing compliance: An SBOM offers a comprehensive inventory of software components, along with their corresponding licenses. This visibility enables organizations to easily verify their compliance with the licensing terms for each component integrated into their products or services.
  • Efficient risk management: With an SBOM, organizations can proactively identify and mitigate risks within their software supply chains, reducing the likelihood of disruptions or security breaches.
  • Streamlined software updates: An SBOM facilitates better tracking of software versions and dependencies, leading to more efficient and accurate software updates and patch management.
  • Dependency analysis: An SBOM reveals the interdependencies among different software components. By understanding these relationships, security professionals can pinpoint vulnerable components and assess the overall risk posture.

It is therefore not surprising that over the past few years, more standards and regulations have adopted the implementation of SBOMs. The significance of SBOMs has been acknowledged not only by the US federal government but also by the automotive industry. US President Joe Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity, issued in May 2021, emphasizes the requirement for companies selling software to the federal government to furnish a comprehensive SBOM. Also, certain countries are actively considering incorporating an SBOM as a regulatory requirement, making it an essential prerequisite for vulnerability analysis in the automotive industry.

How to start your SBOM implementation

Traditionally, creating an SBOM involved the laborious process of manually writing software details on paper or spreadsheets. In the case of a modern car running over a hundred million lines of code, as the software scales and more components are added, the task of manually entering and updating data becomes increasingly time-consuming and inefficient, sometimes even requiring daily updates. This places a heavy burden on employees and is an unwise use of their time. In addition, relying on manual processes renders it susceptible to errors, which not only lead to legal implications but also hinder the early identification of vulnerabilities. This consequently erodes trust in the automotive supply chain.

To alleviate the burden of manual management, there are available software composition analysis (SCA) tools that are tailored to the needs of the automotive industry. These specialized products enable the automatic generation and efficient management of SBOMs, streamlining processes and enhancing cybersecurity practices in the automotive industry.

In the second installment of this two-part series of articles, we discuss how organizations can optimize the benefits of using SBOMs to make connected cars more secure.

VicOne新聞與觀點

深入瞭解汽車網路安全

  • 為CRA做好準備:一站式平台,簡化合規流程
    部落格與觀點
    2025年7月14日
    歐盟《資安韌性法(EU Cyber Resilience Act, CRA)》制定了針對包含數位元素的產品 (PDE) 的網路安全要求。這意味著供應鏈中的製造商必須監控漏洞,並在發現漏洞後立即報告,否則將面臨巨額罰款。在這樣的法規環境下,製造商亟需一套能主動監測漏洞並進行軟體物料清單(SBOM)管理的解決方案,以確保合規與資安同步到位。
    閱讀更多
  • CVE-2025-6019:一個影響 AGL 及未來SDV的權限提升漏洞
    部落格與觀點
    2025年6月25日
    一個最近揭露的 Linux 漏洞顯示,看似普通的錯誤,正逐漸開始影響軟體定義車輛(SDV)。我們解析 CVE-2025-6019、探討它對 Automotive Grade Linux(AGL)的影響,以及它對車載網路安全所代表的意義。
    閱讀更多
  • 使用單一 STM32 開發板複製 RAMN:經濟高效地實踐探索
    部落格與觀點
    2025年5月26日
    這是一篇針對車廠先進網路開發或是相關研究人員的實務實作指南。內容介紹如何深入研究先進車載網路的一種實用且經濟高效的方法,而這僅需使用一塊 STM32 板即可複製全尺寸抗干擾汽車微型網路 (RAMN) 的核心功能。這個實務實作指南中,我們將逐步介紹設定流程,讓車廠工程師和領域愛好者能夠使用最少的硬體來製作逼真可用來測試的汽車通訊系統的原型。
    閱讀更多
  • LockBit 勒索病毒集團資料外洩:對汽車網路安全的影響
    部落格與觀點
    2025年5月21日
    最近一起LockBit 勒索病毒集團的遭駭入侵事件,揭露了大量內部聊天紀錄,讓外界得以一窺該集團如何鎖定受害對象並進行勒索。其中,汽車公司以成為其主要攻擊焦點之一。我們將深入剖析此次資料外洩的關鍵發現,並提出務實的做法步驟,讓車廠面對LockBit 或類似的網路攻擊事件得以採取適當的防範措施。
    閱讀更多
閱讀最新報告

馬上體驗更先進的汽車網路安全防護

預約專人展示