Khirawdhi Ray

Systems. Security. Thoughts.

SBOMs Are Not Enough: What Real Supply Chain Security Looks Like

by

khirawdhi
in , , ,

Software supply chain security has become one of the most talked-about topics in modern engineering and for good reason.

Attacks are no longer just about exploiting running applications, they are increasingly about poisoning what gets built, shipped, and trusted in the first place.

In response, the industry has rallied around one key concept: the Software Bill of Materials (SBOM).

It sounds promising. A complete inventory of all components in your software. Transparency. Traceability. Control. But here’s the uncomfortable truth: SBOMs are necessary but they are not even close to sufficient.

What SBOMs Actually Give You

An SBOM is essentially a list of ingredients:

  • Libraries and dependencies
  • Versions
  • Licenses
  • Sometimes transitive dependencies

Think of it like reading the label on packaged food. You know what’s inside but that doesn’t mean the food is safe.

SBOMs help answer:

  • What are we running?
  • Are we using a vulnerable library?
  • Do we have exposure to known CVEs?

This is valuable. But it’s only visibility, not security.

The Illusion of Security

The danger with SBOMs is subtle: they create a false sense of completeness.

You might think:

  • “We generate SBOMs, so we’re secure.”
  • “We scan dependencies, so we’re covered.”

But supply chain attacks don’t just exploit known components. They exploit:

  • Build pipelines
  • Signing systems
  • Developer environments
  • Dependency trust models

An SBOM tells you what is included. It does not tell you whether you can trust how it got there.

Where SBOMs Fall Short

1. No Integrity Guarantees

An SBOM does not prove that the artifact hasn’t been tampered with. If an attacker injects malicious code during build:

  • Your SBOM will still look perfectly valid
  • The compromise remains invisible

2. No Provenance

SBOMs don’t answer:

  • Who built this artifact?
  • Where was it built?
  • Was the environment trusted?

Without provenance, you’re trusting outputs without verifying their origin.

3. No Runtime Context

SBOMs are static. They don’t tell you:

  • What is actually loaded at runtime
  • What code paths are executed
  • Whether a vulnerable component is exploitable

4. No Protection Against Malicious Dependencies

A dependency can be:

  • Not vulnerable
  • Still malicious

SBOMs track components but not intent.

5. No Defense Against Pipeline Compromise

If your CI/CD is compromised:

  • Attackers can inject backdoors
  • Sign malicious artifacts
  • Ship them through trusted channels

Your SBOM will happily document the compromised output.

What Real Supply Chain Security Looks Like

To move beyond SBOMs, you need to think in terms of trust, integrity, and verification across the entire lifecycle.

1. Provenance: Know Where It Came From

Every artifact should answer:

  • Who built it?
  • From which source?
  • Using what process?

This is where frameworks like SLSA come in.

At higher SLSA levels:

  • Builds are tamper-resistant
  • Provenance is cryptographically verifiable
  • Pipelines are hardened and isolated

Without provenance, you are trusting artifacts blindly.

2. Reproducible Builds: Trust Through Determinism

A powerful concept: If I build the same source, I should get the exact same binary.

Reproducibility allows you to:

  • Detect tampering
  • Verify integrity independently

If outputs differ, something is wrong.

3. Artifact Signing and Verification

Every artifact should be:

  • Signed at build time
  • Verified before deployment

Modern approaches use tools like Sigstore:

  • Keyless signing
  • Transparency logs
  • Identity-bound signatures

This ensures:

  • Only trusted artifacts run
  • Tampered artifacts are rejected

4. Secure CI/CD Pipelines

Your pipeline is part of your attack surface.

Harden it like production:

  • Isolate build environments
  • Use ephemeral runners
  • Enforce least privilege
  • Prevent direct artifact modification

Treat CI/CD as a high-value target, not just automation.

5. Dependency Trust, Not Just Dependency Tracking

Instead of just listing dependencies:

  • Verify their source integrity
  • Pin versions and hashes
  • Use trusted registries
  • Monitor for anomalous updates

Supply chain attacks often exploit:

  • Typosquatting
  • Dependency confusion
  • Maintainer compromise

6. Runtime Enforcement

Security doesn’t stop at build time. Enforce at runtime:

  • Only signed images can run
  • Block unknown or untrusted binaries
  • Use admission controllers in Kubernetes
  • Monitor behavior, not just composition

7. Continuous Verification

Security is not a one-time scan. Continuously:

  • Re-evaluate dependencies
  • Monitor for new vulnerabilities
  • Validate signatures and provenance
  • Audit pipeline integrity

A Better Mental Model

SBOMs answer: “What is inside?”

Real supply chain security asks: “Can I trust this, end to end?”

The Shift: From Visibility to Trust

The industry is moving from:

  • Inventory → Integrity
  • Awareness → Assurance
  • Listing → Verifying

SBOMs are just the starting point.

Without:

  • Provenance
  • Signing
  • Reproducibility
  • Pipeline security

,you are still exposed.

Final Thought

Supply chain security is not about knowing what you have.

It is about knowing that what you have has not been silently altered somewhere along the way.

And that requires more than a list.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *