Understanding the Differences Between SBOM and SOUP
In the realm of medical device cybersecurity, both SBOM (Software Bill of Materials) and SOUP (Software of Unknown Provenance) are critical concepts that play different roles in ensuring the security and compliance of a device. While they may seem related, they serve distinct purposes, and knowing the differences can help manufacturers build a secure product.
SBOM (Software Bill of Materials)
An SBOM is a comprehensive list of all the software components used in a product, including open-source libraries, third-party components, and proprietary software. The SBOM helps identify what software is running within the device, providing transparency and allowing for effective management of vulnerabilities.
Key Inclusions in an SBOM:
Component Name: The name of each software component used in the device.
Version Information: The specific version of the software component, which is crucial for tracking vulnerabilities.
Supplier Information: Details about who provided the software component, whether it is a third-party vendor or an open-source community.
Licensing Information: Documentation of the licensing terms and any restrictions related to the software.
Cryptographic Hash: A unique identifier for each software component to ensure its integrity.
Dependencies: Details about any other software components that each part relies on.
The SBOM provides a roadmap to managing cybersecurity risks, ensuring that software vulnerabilities can be identified, monitored, and mitigated during the device’s lifecycle.
SOUP (Software of Unknown Provenance)
SOUP refers to software components that are used in a medical device but were not developed specifically for that device and lack full development or validation records. This often includes commercial off-the-shelf (COTS) software or open-source software that hasn't been tailored to the device's specific environment.
Key Inclusions in SOUP Documentation:
Identification of SOUP Components: Clearly identifying which software components are SOUP, including name, version, and supplier information.
Rationale for Use: Justification for why SOUP was chosen and the benefits it brings to the device's functionality.
Risk Assessment: Detailed risk assessment and analysis of potential vulnerabilities and weaknesses in the SOUP.
Validation and Testing: Information about the testing and validation processes performed on the SOUP to ensure it meets the necessary safety and security standards.
Monitoring and Patch Management: An outline of how SOUP components will be monitored for vulnerabilities over time, including a process for managing patches and updates.
Mitigation Strategies: Strategies in place to mitigate any risks associated with using SOUP in the device.
While SBOM gives a full picture of what is inside a device, SOUP refers specifically to those components that come with inherent risks due to their unknown or incomplete provenance.
Why Both Are Important
SBOM provides transparency for manufacturers, regulators, and end-users about the software composition of a device, which is vital for vulnerability management and cybersecurity assessments. SOUP, on the other hand, highlights the risks associated with pre-existing software components and emphasizes the need for thorough risk assessments and continuous monitoring.
For manufacturers, both SBOM and SOUP are essential tools to ensure that all software components, regardless of their origin, are adequately managed and meet the necessary safety and security standards as per regulatory requirements. This proactive approach ultimately contributes to safer and more secure medical devices.