Glossary term
SBOM
Also: Software Bill of Materials
Machine-readable inventory of all components in a software incl. versions, licences and dependencies. Formats: SPDX, CycloneDX, SWID. Mandatory in regulated areas; in the US driven by Executive Order 14028.
Purpose: supply-chain transparency. When a new CVE emerges (e.g. Log4Shell), you must be able to answer within minutes which products are affected. Without SBOM, this takes weeks.
Formats: CycloneDX (OWASP, compact, widely used), SPDX (Linux Foundation, standard for open-source licences), SWID Tags (ISO/IEC 19770-2). Tools: Anchore Syft, CycloneDX CLI, Microsoft SBOM Tool.
Related: VEX (Vulnerability Exploitability eXchange) complements SBOM with whether a found CVE is actually exploitable. SBOM + VEX is the minimum for a serious vulnerability-management process.
Related terms
CVE
Global identifier for publicly known security vulnerabilities in software and hardware. Format CVE-Y…
Supply Chain Risk
Risks from the software and hardware supply chain: compromised open-source packages, build-pipeline …
TPRM
Discipline and tool category for governing risks from external providers (SaaS, cloud, outsourcing, …
SASE
Gartner architecture category combining network (SD-WAN) and security functions (SWG, CASB, ZTNA, FW…
Schrems II
CJEU ruling of 16 July 2020 that invalidated the EU-US Privacy Shield and only allowed Standard Cont…
SIEM (Security Information and Event Management)
A platform that centralises security logs, enables long-term retention, runs correlation rules and s…
SOC 2 Type 2
Audit report by a US public accountant under AICPA SSAE 18 standard, confirming the operating effect…
Sovereign cloud
A cloud deployment model that guarantees operational, legal and technical control of data and worklo…