SBOMs: Your Software Ingredient List Knowing what is in your software package is the first step in securing your software supply chain. Get your free Software Bill of Materials (SBOM) report now.

SBOM Facts

Why you need an SBOM

Comply with the Executive Order, and Get Ahead of Demand

In September of 2022, the White House Office of Management and Budget (“OMB”) published memo M-22-18 directing federal agencies to adopt guidelines that NIST developed in response to Executive Order 14028 for Improving the Nation’s Cybersecurity. The memo makes clear that SBOMs are the preferred method for demonstrating conformance with the NIST secure software development practices. Plus, more companies in the private sector are expected to require them.

Learn More About SBOMs

What Is an SBOM? A List of Ingredients

A Software Bill of Materials is a listing of all components and dependencies in an application. While SBOMs are not a new invention, their use has been limited to date. Even today, the process for assembling SBOMs is often manual and their audience has historically been internal development teams, not external customers and auditors looking to secure their software supply chains. This change means that modern SBOMs must be comprehensive, accurate, and cover the entire dependency hierarchy to deliver value.


With ReversingLabs, See Components Others Miss

SBOMs must uncover all components, regardless of source, type or whether it is embedded, compressed or encoded. Component lists generated by automated build systems are rarely comprehensive enough to be useful SBOMs, since there are ways to add components to code, containers, installers or commercial libraries without declaring them on build or package manifests.

Dig Deeper Into Dependencies

Dig Deeper Into Dependencies

Your software relies on components (internally developed, open source, proprietary), which rely on components, which rely on still more components. To be effective, SBOMs need to capture this entire hierarchy - the trunk and every branch and leaf. Without dependency depth, your response to newly reported software supply chain vulnerabilities will be incomplete and needlessly time consuming.

Verify Component Accuracy

Verify Component Accuracy

Each component in the software you use should be what the SBOM says it is. Verification checks are needed to ensure no misleading or missing information about the software publisher, product, or its version is overlooked, which could complicate future vulnerability matching.

What to Expect


GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.