Software security is at the heart of cybersecurity. Securing software has become much more difficult in recent years because software developers no longer write all of the code in their products themselves; in fact, they don't even come close to doing that.

Today, up to 90% of the code in most software products and intelligent devices consists of components developed by a multitude of third parties, including both commercial developers and open source communities. The average software product today contains over one hundred of these third party components, and many products contain thousands.

While use of components has made software in general much less expensive and easier to build, the downside is that third-party components introduce unknown risks into software products. How can organizations that use software (i.

e. , almost every organization on the planet) protect themselves from component risks in the software they use?The first step in protecting against a risk is knowing about it.

That is where software bills of materials (SBOMs) and their companion documents, vulnerability exploitability exchange (VEX), come in. If properly used, SBOMs can help any organization identify where their biggest cyber risks lie, as well as coordinate with their software suppliers to protect against these risks.

However, despite widespread recognition of the importance of SBOM and VEX, today they are not being used to any significant degree outside of the commmunity of software developers (where they are being used very heavily). This book explores the reasons why that is the case, as well as what can be done - and is being done today - to make SBOM and VEX an integral part of today's cybersecurity landscape.

. .