From ac5f63076eb38a374d846db8ba625dab3c3c6cd3 Mon Sep 17 00:00:00 2001
From: Simon Becker <135833417+becker-s@users.noreply.github.com>
Date: Fri, 28 Jul 2023 14:57:06 +0200
Subject: [PATCH] docs: add SBOM to assess

---
 radar/2023-09-01/sbom.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 radar/2023-09-01/sbom.md

diff --git a/radar/2023-09-01/sbom.md b/radar/2023-09-01/sbom.md
new file mode 100644
index 0000000..5e734bf
--- /dev/null
+++ b/radar/2023-09-01/sbom.md
@@ -0,0 +1,25 @@
+---
+title:      "Software Bill of Materials (SBOM)"
+ring:       assess
+quadrant:   platforms-and-aoe-services
+tags:       [devops, security]
+---
+
+A Software Bill of Materials (SBOM) is an artifact that consolidates information about the dependencies of a software.
+
+Multiple standards that define the contents and format of SBOMs exist.
+The most prominent open-source formats include:
+
+- [CycloneDX](https://cyclonedx.org/) (OWASP): designed in 2017 with the goal to identify vulnerabilities in the software supply chain.
+- [SPDX](https://spdx.dev/) (Linux Foundation): mainly focused on license compliance in the context of open source software. Support for tracking security vulnerabilities has been added in 2016 with SPDX 2.1.
+
+While the goals of these SBOM formats vary, they both support
+
+- automated generation of SBOMs from source code and
+- machine-readable output to enable automated processing of SBOMs.
+
+We see potential for SBOMs to improve software supply chain security by facilitating
+
+- transparency regarding direct and transitive software dependencies,
+- automated detection of software dependencies with known vulnerabilities and
+- interoperability of security tools that support the same SBOM standards.