A place for the InfoSec community to share and celebrate real stories of organizations successfully using SBOMs (and other bills of material) to actually manage and reduce security risk in meaningful ways.
Depending on who you ask in the InfoSec community, SBOMs are going to radically improve the state of software security around the world OR they're a total waste of time.
It's high time we found a better way to cut through the noise and make it far easier for the InfoSec community to share and learn about SBOM success stories so it's easier for folks to figure out how to get value out of, or provide value with, SBOMs in their organizations.
This is the stated purpose of the...
Do you want to help organizations see the light around how to use SBOMs (and other BOM types) in practical ways that actually provide value? Submit a pull request to add to the table below!
| Organization Name or Description | BOM Type (SBOM, SaaSBOM, HBOM, etc.) | Use Case Category | Use Case | Citation |
|---|---|---|---|---|
| EXAMPLE: ACME Inc. | SBOM | Emergency Vulnerability Incident Response | ACME Inc. used their vendors' SaaSBOMs to identify and contact vendors vulnerable to Log4Shell. Most vendors had already begun remediating, but a few vendors triggered their incident response process *because* ACME had contacted them quickly | [BSidesFoobar 2023] Finally: a real example of SBOMs providing tangible security value |
| EXAMPLE: Fortune 500 Bank | SaaSBOM | New Vendor Security Risk Assessments | A Fortune 500 bank began requiring SaaSBOM's from their critical SaaS application providers that process regulated data (PII, PHI, PCI, etc.). Because of the added visibility into their SaaS vendors' software currency (or lack thereof), they were able to deny procurement requests for 10 vendors that would have otherwise been approved while helping the business find alternative, more secure vendors | Trust us: a real and honest customer case study for how to get practical value from SaaSBOMs (from SBOMify Inc.) |