Document SBOM use cases

[joshbressers]

TODO: What are the use cases? Document needs to fleshed out and structured. SBOM Use Cases for Security

Kathy Goeschel will take point Bunny Hernandez Cameron Banowsky David Wheeler willing to take a pass at adding in his thoughts. Ran Dall

[joshbressers]

We need to better define the scope and definitions for these use cases

[mrutkows]

This list of SBOM use cases relative to the data needed under CDX was invaluable to me in assessing completeness of SBOMs during SDLC... https://cyclonedx.org/use-cases/

[hepwori]

This from NTIA is a good SBOM use cases reference which I've found useful: https://www.ntia.gov/files/ntia/publications/ntia_sbom_use_cases_roles_benefits-nov2019.pdf

[anthonyharrison]

I wrote a blog post which identified 4 use cases for SBOMs all related to managing risk:

• SBOMs should form part of your vulnerability management process by using them to scan for vulnerabilities when acquiring software from the supply chain and also understanding your vulnerability posture when releasing software to your users. As vulnerabilities are being discovered continuously, vulnerability scanning of released software should be proactively performed so that your users can be informed of any new vulnerabilities as they are discovered.
• SBOMs can also be used as part of an integrity checking process for components received from the supply chain as the metadata associated with each component typically includes checksums which are used primarily to protect against accidental corruption. These checksums can be used to validate that the components ‘as received’ are ‘as produced’ by the supplier. Cryptographically strong checksum algorithms may be used to detect deliberate corruption or to confirm the desired version of a component, if multiple versions are available.
• The continued use of obsolete or no longer supported software is a key risk to any solution, as this increases the potential that vulnerabilities could be exploited. By monitoring the supported versions of components against an SBOM, identification of software which may need additional measures in order to limit the likelihood of compromise can be performed.
• And finally using SBOMs to ensure that the components are being used in accordance with their licence is still a very important use case to consider as part of the overall risk management associated with the supply chain.