SBOM’s Missing Ingredient: Ketchup

Marc Frankel
July 26, 2023

When we go to a grocery store, we take for granted that the items we put in our cart will be accompanied by a list of ingredients. It’s so prevalent that we don’t even think about it, and most of us don’t even think about a time when food didn’t have these lists. If we have a nut allergy, or if there’s an E. Coli outbreak in raisins, or a recall, all we have to do is look at the label to find out if we’re affected.  And that’s because we’re ingesting these foods, and it’s important for us to know - quickly - if they’ll be safe to consume.

The same ought to be true of software.

Fortunately, governments around the world, from the US to Europe, are enacting new regulations that would make this a reality, through software bills of materials (SBOMs), which are often described as “software ingredients lists.” However, despite the clear value that software transparency brings in protecting the technology that supports our critical infrastructure and our way of life, certain parts of private industry have pushed back on this idea.

The road to get here hasn’t been smooth, but it’s not without precedent.  I spent a bit of time recently learning about pushback to calls for transparency in food labeling to better understand how industries refute new requirements like this. The comparison between SBOMs and food labels isn’t perfect, but it was shocking to see virtually the exact same objections being raised in two different eras:

The government won’t understand what they’re looking at

“[Agencies] lack the sufficient knowledge and efficacy on the part of the officials charged with their enforcement.”  Food Industry, 1900.

“We… discourage agencies from requiring artifacts until… agencies are ready to consume the artifacts they request.” ITI, 2022.

It’s too expensive

“Many food industry lobbyists complained about the compliance costs of conforming [with labeling requirements].” Food industry, 1938.

“SBOM production and consumption can be a potentially costly distraction from more directly useful activities.”A comment on an NTIA publication, 2022.

Our ingredients are proprietary

“Associations of… producers of food product marketed based on geographic origin also wanted to protect their products from competition.”Food industry, 1901.

“In some cases, product developers may embed proprietary components whose inclusion is subject to a confidentiality agreement.” NTIA comments, 2021.

And so on.  History may not repeat itself, but it certainly seems to rhyme.

In the end - for food at least - transparency won out. Industry leaders like H.J. Heinz (he of the famous ketchup dynasty) realized that transparency could become a marketing tactic and differentiator.  Heinz’s biographer says, “[Heinz] knew that unscrupulous processors... were hurting all other manufacturers in the industry by creating suspicion of the quality and purity of all products on the market… The way to earn that confidence was to work in partnership with a federal regulatory agency. Regulation would make the industry respected and trusted – an achievement beyond any price.”

It’s true that software isn’t ketchup, but it is just as vital to our way of life today as food and water. From hospitals to manufacturing, transportation to how we fight wars, software touches virtually every aspect of our lives.  In the early 1900s, forward-thinking policymakers and industry leaders recognized that society had an urgent need to know what was in food.  

Today, we are on the verge of determining the same for software. And, just like with food, it will need strong cooperation - not detractors - between government and industry.

“Just generating an SBOM isn’t useful unless you’re doing something with it. And this is doing something with it.”
Executive Director of Engineering,
Leading Fintech Company
Secure your software supply chain today.
Get a demo