The concept of a Software Bill of Materials (SBOM) was originally focused on supply chain security or supply chain risk management. The idea was that if you know how all the different tools and components of your application are connected, you can minimize the risk associated with any component if it becomes compromised. SBOMs have become a staple of most security teams because they offer a quick way to trace the “blast radius” of a compromised piece of an application.

Yet the value of an SBOM goes well beyond application security. If you know how an application is put together (all the connections and dependencies that exist between components), then you can also use that perspective to improve how an application operates. Think of it as the reverse of the security use case. Instead of cutting off a compromised application component to avoid downstream impacts, you’re optimizing a component so downstream systems will benefit.

The role of SBOMs in Application Management

In this sense, SBOMs fill a critical gap in the discipline of application management. Most application teams use many different single-use tools to manage specific aspects of application operations and performance. Yet it’s easy to lose the broader strategic perspective of an application in the silos that those toolsets create. 

That loss of perspective is particularly concerning given the proliferation of application tools and the huge amount of data they create every day. All the widgets that optimize, monitor and report on applications can become so noisy that an application owner can simply drown in all that data.  All that data exists for a reason: someone thought it needed to be measured. But it’s only useful if it contributes to a broader application strategy.

An SBOM provides a more strategic view that can help application owners prioritize and analyze all the information they’re seeing from scattered toolsets and operating environments. It gives you a sense of the whole application, in all its glorious complexity and interconnectedness. That strategic view is a critical foundation for any application owner, because it places the data and dashboards created by siloed toolsets in context. It gives you a sense of what application tooling does and, more importantly, does not know.

SBOM maps of application dependencies and data flows can also point out observability gaps. Those gaps might be in operational components, which aren’t collecting the data that you need to gauge their performance. They could also be gaps between siloed data sources that require some way to provide context on how they interact.

SBOMs in action with IBM Concert

SBOMs play a key role in IBM® Concert®, a new application management tool which uses AI to contextualize and prioritize the information that flows through siloed application toolsets and operating environments. Uploading an SBOM is the easiest way to get started with IBM Concert, opening the door to a 360° view of your application.

IBM Concert uses SBOMs first to define the contours of an application. Associating data flows and operational elements with a particular application can be tricky, especially when you’re dealing with an application that spans on-prem and cloud environments with interconnected data flows. An SBOM draws a definitive barrier around an application, so IBM Concert can focus on the data sets that matter.

SBOMs also give IBM Concert a handy overview of how different data elements within an application are related to one another. By defining those connections and dependencies in advance, IBM Concert can then focus on analyzing data flows across that architecture instead of trying to generate a theory of how an application operates from scratch.

SBOMs also assist IBM Concert by providing a standardized data format which identifies relevant data sources. While the “language” of every application may be different, SBOMs serve as a type of translation layer, which helps to differentiate risk data from network data, cost information from security information. With these guardrails in place, IBM Concert has a reference point to start its analysis.

Your next step: SBOMs as a source of truth

Since SBOMs are a staple of security and compliance teams, it’s likely that your application already has this information ready for use. It’s simply a matter of making sure your SBOM is up to date and then repurposing that information by uploading it into IBM Concert. Even this simple step will pave the way for valuable strategic insights into your application.