The importance of software BOM for hardware security

The importance of software BOM for hardware security


We live in the era of smart products. Modern smartphones is a good confirmation to that. The average person today keeps in his pocket a computer with computational capability equal or even more than computer that aerospace and defense industry used for navigation. In addition to that, you smartphone has communication capability (Wi-Fi and Bluetooth) which makes it even more powerful. If you think about cost and availability of boards like raspberry pi and Arduino, you can understand why and how it revolutionize many products these days. Although, wide spread of these devices has drawbacks.

Smart products are bringing a new level of complexity everywhere. It starts from  engineering and manufacturing where you need to deal with complex multidisciplinary issues related to combination of mechanical, electronic and software pieces. The last one is a critical addition to product information. Bill of materials has to cover not only mechanical and electronic parts, but also software elements.

Another aspect is related to operation of all smart products. Because of connectivity aspects of products, the operation is required to deal with software, data and other elements that can easy turn your manufacturing company into web operational facility with servers, databases, etc.

As soon as devices are exposed to software, the problem of software component traceability is getting critical. Configuration management and updates is a starting point. But, it quickly coming down to security, which is very critical today.

GCN article – How secure are your open-source based systems?  speaks about problem of security in open source software. Here is my favorite passage:

According to Gartner, 95 percent of all mainstream IT organizations will leverage some element of open source software – directly or indirectly – within their mission-critical IT systems in 2015. And in an analysis of more than 5,300 enterprise applications uploaded to its platform in the fall of 2014, Veracode, a security firm that runs a cloud-based vulnerability scanning service, found that third-party components introduce an average of 24 known vulnerabilities into each web application.

To address this escalating risk in the software supply chain, industry groups such as The Open Web Application Security Project, PCI Security Standards Council and Financial Services Information Sharing and Analysis Center now require explicit policies and controls to govern the use of components.

Smart products are also leveraging open source software. The security of connected devices and smart product is a serious problem to handle. Which brings me to think about how hardware manufacturing companies can trace software elements and protect their products from a potential vulnerability.

What is my conclusion? To cover all aspects of product information including software becomes absolutely important. For many manufacturing companies the information about mechanical, electronic and software components is siloed in different data management systems. In my 2015 PLM trends article, I mentioned the importance of new tools capable to manage multidisciplinary product information. Software BOM security is just one example of the trend. The demand to provide systems able to handle all aspect of product BOM is increasing. Just my thoughts…

Best, Oleg

photo credit: JulianBleecker via photopin cc


Share This Post

  • Hello Oleg,

    interesting thoughts. Integrated product structures made up of a combination of mechanical, electrical and software design is one of the most challenging requirements for PLM. On one hand there is a “clash of cultures” between more conservative mechanical engineers and progressive software programmer. Mechanical engineers design physical objects which must fit together mechanically; most of them loves the sunlight, working during the day and knows the difference between broccoli and carrots. Software programmers designing virtual things you cannot touch but doing impressive things, I’m not sure regarding sun light resistance of them, they working during the night and know all pizza service phone number by heart.
    Ok, little bit stereotyping and not meant so serious.
    On the other hand there is the difference in the dynamic of “changing cycles” during the product development. The life cycle time is different and difficult to synchronize. A new revision for mechanical assemblies can take days or weeks, a new revision of firmware or another piece of software can take hours. Changes in physical structures needs some coordination effort (collision detection, DMU, FEM etc. pp.), changes in software needs (in best case) only some minutes to running automated tests.
    In my opinion it is not possible to convince software programmers to give up working in SW-Engineering specific IDEs like Eclipse, Visual studio, Netbeans and others. I don’t know a PLM system which has the broad functionality to support programmer’s daily work.
    But it is possible to integrated the working results in a combined product structure and synchronize pizza and broccoli 😉 into a common product structure tree. With working results I mean software releases, compiled code, running binaries – something like this. And of course you need a link to the source code version, on which the release is based.
    That’s my 50 cents on this discussion. But maybe someone has made other experience. I am looking forward to discuss it.


  • beyondplm

    Christoph, thanks a lot! Appreciate your insight and examples. I agree- it is hard to convince software devs to use tools for mechanical engineers. However, since end-products are kind of integrated pizza and broccoli using your lang… companies must find a way to do so. I look forward to hear more examples of how companies are doing it today. Best, Oleg

  • Derek E. Weeks

    The article you reference also directs readers to a free source for creating a software bill of materials. Whereas manual efforts could take hours or days, there are a number of free (and paid) tools for creating a bill of materials — some of which produce the BOM in about 5 minutes, while others may have turnarounds in as few as a couple of hours.

    BOM vary in terms of information provided, including the name, version, age, popularity, license types, known security vulnerabilities, dependencies, etc.

    In the paid category, I know that Veracode, Sonatype, and HP Fortify all have offerings. In the free category, their are offerings from OWASP (see OWASP Dependency Check) and Sonatype (see Application Health Check). As with all offerings, the paid versions often include more functionality than the free alternatives.

  • beyondplm

    Derek, thanks for your comment and tools reference. One of the challenges some tools I’ve seen is the fact they are operating in silos – mechanical, electrical, software, etc. How the tool you mentioned can help to solve that problem?

  • Derek E. Weeks

    In reference to breaking down the silos, I think that is really a matter of a more sophisticated type of supply-chain management. At this point different people, tools and processes can feed the creation of an overall bill of materials. Where the physical bill of materials has been done for many years, the software bill of materials is something that is relatively new. Support for software bill of materials has been aided by the dramatic increase in use of identifiable and traceable open source components used when assembling modern apps today (many suggesting that OSS components make up 90% of an app).

    I hope you found this perspective helpful.

  • beyondplm

    Derek, thanks for your insight! You are right- different tools can feed an “overall” bill of materials. However, this is a challenge, since many companies have no one.

    Some of my thoughts about that is here –> why companies are not ready for a single BOM

    thanks for your comments!
    best, Oleg

  • Pingback: Beyond PLM (Product Lifecycle Management) Blog » PLM and ALM trajectory – integrated system development()

  • Pingback: PLM and ALM trajectories – integrated system development | Daily PLM Think Tank Blog()

  • Pingback: Beyond PLM (Product Lifecycle Management) Blog » What process can connect PLM and ALM tools?()