It depends, if the organization creates its software, then SBOM shell be used to monitor new vulnerabilities in order to fix on time and alert the customers.
If the organization is only using the software (supply chain) they should ask, for their critical software, the vendor to provide SBOM in a format that allows self-check of vulnerabilities (zero trust). For non-critical software, the company should address the responsibility in the software procurement agreement. Who is responsible to monitor vulnerabilities, alerting/Fix/mitigation SLA, etc... A recommended free tool for SBOM tracking is Dependency-Track which can handle SBOM files in the CyclonDX format. There are other formats like SPDX and other tools (some open source and some - commercial).
The most important thing to remember is that SBOM builds trust between SW vendors and consumers. All sides should be alert to a new 0-day that becomes a known vulnerability and protect their customers.
Search for a product comparison in Supply Chain Management Software
It depends, if the organization creates its software, then SBOM shell be used to monitor new vulnerabilities in order to fix on time and alert the customers.
If the organization is only using the software (supply chain) they should ask, for their critical software, the vendor to provide SBOM in a format that allows self-check of vulnerabilities (zero trust). For non-critical software, the company should address the responsibility in the software procurement agreement. Who is responsible to monitor vulnerabilities, alerting/Fix/mitigation SLA, etc...
A recommended free tool for SBOM tracking is Dependency-Track which can handle SBOM files in the CyclonDX format. There are other formats like SPDX and other tools (some open source and some - commercial).
The most important thing to remember is that SBOM builds trust between SW vendors and consumers. All sides should be alert to a new 0-day that becomes a known vulnerability and protect their customers.
Hi @ZvikaRonen, possibly you have any inputs/insights in relation to this question?