On March 5th, the SBOMit community hosted the Beyond the SBOM: Ensuring Integrity with Attestations event at The National Press Club in Washington, D.C. This event, co-located with OpenSSF Policy Summit DC, brought together industry leaders to address the limitations of single SBOMs and even signed SBOMs in ensuring software supply chain security. Attendees explored the critical role of attestations in verifying and enhancing SBOM integrity and took part in engaging breakout sessions.
With software security threats on the rise, protecting the supply chain has never been more critical. Modern applications rely heavily on third-party libraries, which make up 79% of an average application’s code. A single vulnerability in a widely used library can expose entire systems, as past cybersecurity incidents have shown. This event aimed to tackle these challenges by discussing solutions beyond traditional SBOMs.
Key Themes & Takeaways
The Limitations of SBOMs
While SBOMs are an essential tool for software transparency, they fall short in ensuring security. They provide only a static representation of software components, capturing a snapshot but not accounting for runtime integrity or post-signing modifications. Additionally, the trustworthiness of a signed SBOM is entirely dependent on the security of its signing key—if compromised, the integrity of the SBOM is at risk. Another limitation is the lack of granular verification, as SBOMs do not inherently prove how software was built, tested, or deployed, leaving gaps in security assurance.
The Role of Attestations
Attestations offer a cryptographically verifiable way to ensure software provenance, security practices, and compliance. They strengthen trust by validating build processes and runtime integrity, mitigating risks associated with compromised signing keys. Additionally, attestations provide greater transparency into software development and deployment practices, making them a critical addition to SBOMs.
Industry Insights
Speakers at the event shared real-world challenges and solutions for improving software supply chain security. Ian Dunbar-Hall (Lockheed Martin) highlighted security risks in critical infrastructure and how attestations can help mitigate them.
Session Highlights
The event featured engaging discussions on technical implementation strategies and policy frameworks for attestations. Participants explored how organizations can integrate attestations into existing SBOM workflows and improve software security at scale.
What’s Next for the Industry?
The key takeaway? SBOMs alone are not enough—attestations are a crucial component in ensuring software integrity. Moving forward, the industry must increase adoption of attestations alongside SBOMs, foster collaboration between open-source communities, enterprises, and policymakers, and develop automated verification tools to enhance software supply chain security.
During the event, key leaders proposed actionable next steps. Allan Friedman (Cybersecurity and Infrastructure Security Agency) suggested creating a document outlining key lessons and a shared direction for improving SBOM security. CRob (OpenSSF) recommended developing a roadmap and engaging the broader community. Sarah Evans (Dell) emphasized the need for a prototype to demonstrate attestation benefits.
Get Involved
The discussion doesn’t stop here! Here’s how you can stay engaged:
- Join the Conversation: Get involved in the SBOMit community on Slack: SBOMit Slack Channel
- Stay Connected: Follow up with event speakers for further insights and collaboration opportunities.
A huge thank you to all our speakers, participants, and organizers for making this event a success. We look forward to continuing the conversation and driving meaningful progress in software supply chain security!