Assess and Act
Converting SBOM intelligence into operational decisions and risk mitigation
Collecting SBOMs, validating quality, monitoring updates—these activities generate visibility. But visibility without action is voyeurism, not security. The purpose of software transparency isn't knowing what components exist. It's making better decisions: Which vulnerabilities demand immediate patching? Which vendors pose unacceptable supply chain risk? Which products should be prioritized for upgrade? Which license violations require remediation? Assessment transforms data into decisions, and decisions must drive action.
Organizations that treat SBOM programs as information gathering exercises miss the point. SBOM utility isn't measured by repository size or collection rates. It's measured by decisions improved and risks reduced. Did faster vulnerability assessment prevent breach? Did component visibility guide better procurement? Did license analysis avoid compliance violations? Assessment and action close the loop converting transparency investment into security outcomes.
Assessment Frameworks
Different operational contexts require different assessment approaches and decision criteria.
Vulnerability Risk Assessment
Most immediate SBOM application: determining which vulnerabilities in which products require which responses with what urgency.
Multi-factor risk scoring:
def calculate_vulnerability_risk(component, cve, product, deployment):
"""Comprehensive vulnerability risk assessment"""
# Base severity from CVSS
base_score = cve['cvss_score'] # 0-10
# Exploitability adjustment
exploit_multiplier = 1.0
if cve['exploit_available']:
exploit_multiplier = 1.5
if cve['exploited_in_wild']:
exploit_multiplier = 2.0
# Exposure adjustment
exposure_multiplier = 1.0
if deployment['internet_facing']:
exposure_multiplier = 1.5
if deployment['authenticates_users']:
exposure_multiplier = 1.8
if deployment['processes_sensitive_data']:
exposure_multiplier = 2.0
# Component criticality adjustment
criticality_multiplier = 1.0
if component['role'] == 'authentication':
criticality_multiplier = 1.8
elif component['role'] == 'data_processing':
criticality_multiplier = 1.5
elif component['role'] == 'logging':
criticality_multiplier = 0.8
# VEX status adjustment
vex_multiplier = 1.0
vex_status = lookup_vex_status(product, cve['id'])
if vex_status == 'not_affected':
vex_multiplier = 0.0 # VEX confirms not exploitable
elif vex_status == 'fixed':
vex_multiplier = 0.3 # Patch available, just needs deployment
elif vex_status == 'affected':
vex_multiplier = 1.2 # Vendor confirms vulnerability applies
# Calculate composite risk score
risk_score = (
base_score *
exploit_multiplier *
exposure_multiplier *
criticality_multiplier *
vex_multiplier
)
# Categorize
if risk_score >= 15:
return {'score': risk_score, 'priority': 'CRITICAL', 'sla_hours': 24}
elif risk_score >= 10:
return {'score': risk_score, 'priority': 'HIGH', 'sla_hours': 72}
elif risk_score >= 5:
return {'score': risk_score, 'priority': 'MEDIUM', 'sla_days': 30}
else:
return {'score': risk_score, 'priority': 'LOW', 'sla_days': 90}Multi-factor assessment prevents simplistic CVSS-only decisions. High-CVSS vulnerability in component not exposed to attacks might be lower priority than medium-CVSS vulnerability in internet-facing authentication service. VEX "not_affected" status might eliminate concern entirely despite vulnerability existing in component.
Assessment workflow:
- Identify: New CVE published or discovered in SBOM analysis
- Correlate: Query SBOM repository for products containing affected component
- Contextualize: Gather VEX status, deployment context, component criticality
- Calculate: Apply risk scoring algorithm
- Prioritize: Rank vulnerabilities by composite risk score
- Assign: Route to appropriate teams based on product ownership
- Track: Monitor remediation progress against SLA targets
Supplier Risk Assessment
SBOMs enable quantitative supplier evaluation based on actual software composition rather than marketing claims.
Supplier scorecard framework:
def assess_supplier_risk(supplier, sboms):
"""Evaluate supplier based on SBOM analysis"""
scores = {
'component_hygiene': 0, # 0-100
'vulnerability_mgmt': 0, # 0-100
'license_compliance': 0, # 0-100
'transparency': 0, # 0-100
'responsiveness': 0 # 0-100
}
# Component hygiene assessment
total_components = sum(len(sbom['components']) for sbom in sboms)
outdated_components = count_outdated_components(sboms)
outdated_percentage = (outdated_components / total_components) * 100
if outdated_percentage < 10:
scores['component_hygiene'] = 100
elif outdated_percentage < 25:
scores['component_hygiene'] = 75
elif outdated_percentage < 50:
scores['component_hygiene'] = 50
else:
scores['component_hygiene'] = 25
# Vulnerability management assessment
known_vulns = count_known_vulnerabilities(sboms)
vex_coverage = count_vex_documents(supplier, known_vulns)
vex_percentage = (vex_coverage / known_vulns) * 100 if known_vulns > 0 else 100
scores['vulnerability_mgmt'] = vex_percentage
# License compliance assessment
prohibited_licenses = count_prohibited_licenses(sboms)
if prohibited_licenses == 0:
scores['license_compliance'] = 100
else:
scores['license_compliance'] = max(0, 100 - (prohibited_licenses * 10))
# Transparency assessment
sbom_quality_scores = [assess_sbom_quality(sbom) for sbom in sboms]
scores['transparency'] = sum(sbom_quality_scores) / len(sbom_quality_scores)
# Responsiveness assessment
avg_vex_latency = calculate_avg_vex_publication_time(supplier)
if avg_vex_latency < 48: # hours
scores['responsiveness'] = 100
elif avg_vex_latency < 168: # 1 week
scores['responsiveness'] = 75
else:
scores['responsiveness'] = 50
# Calculate composite supplier risk score
weights = {
'component_hygiene': 0.25,
'vulnerability_mgmt': 0.30,
'license_compliance': 0.20,
'transparency': 0.15,
'responsiveness': 0.10
}
composite_score = sum(scores[k] * weights[k] for k in scores)
return {
'scores': scores,
'composite': composite_score,
'rating': categorize_supplier_rating(composite_score)
}Supplier assessments inform procurement decisions, contract renewals, vendor escalations, and alternative evaluation. Supplier consistently scoring below 60 (marginal) warrants discussion about improvement expectations or replacement consideration.
License Compliance Assessment
SBOM license data enables systematic compliance verification and risk identification.
Compliance workflow:
def assess_license_compliance(product_sbom, policy):
"""Evaluate product license compliance against policy"""
findings = {
'violations': [],
'requires_review': [],
'compliant': [],
'missing_license_info': []
}
for component in product_sbom['components']:
licenses = component.get('licenses', [])
if not licenses:
findings['missing_license_info'].append({
'component': component['name'],
'action': 'Request license clarification from supplier'
})
continue
for license in licenses:
license_id = license.get('license', {}).get('id', 'UNKNOWN')
if license_id in policy['prohibited']:
findings['violations'].append({
'component': component['name'],
'license': license_id,
'severity': 'HIGH',
'action': 'Remove component or obtain exception',
'policy_reference': policy['prohibited_reason'][license_id]
})
elif license_id in policy['requires_review']:
findings['requires_review'].append({
'component': component['name'],
'license': license_id,
'action': 'Legal team review required',
'considerations': policy['review_considerations'][license_id]
})
else:
findings['compliant'].append({
'component': component['name'],
'license': license_id
})
return findingsLicense assessment output drives remediation actions: component replacement for violations, legal review for ambiguous cases, documentation of compliant usage patterns.
Component Health Assessment
Beyond immediate vulnerabilities, assess long-term component sustainability and obsolescence risk.
Health indicators:
def assess_component_health(component):
"""Evaluate component long-term viability"""
health_score = 100
concerns = []
# Check end-of-life status
eol_date = lookup_eol_date(component)
if eol_date:
days_until_eol = (eol_date - datetime.now()).days
if days_until_eol < 0:
health_score -= 50
concerns.append(f"Component is {abs(days_until_eol)} days past EOL")
elif days_until_eol < 90:
health_score -= 30
concerns.append(f"Component reaches EOL in {days_until_eol} days")
elif days_until_eol < 180:
health_score -= 15
concerns.append(f"Component EOL approaching in {days_until_eol} days")
# Check maintenance activity
repo_activity = get_repository_activity(component)
if repo_activity:
if repo_activity['last_commit_days'] > 365:
health_score -= 25
concerns.append(f"No commits in {repo_activity['last_commit_days']} days")
elif repo_activity['last_release_days'] > 730:
health_score -= 15
concerns.append(f"No releases in {repo_activity['last_release_days']} days")
if repo_activity['open_issues'] > 100 and repo_activity['issue_close_rate'] < 0.2:
health_score -= 10
concerns.append("High unresolved issue count with low resolution rate")
# Check version currency
latest_version = get_latest_stable_version(component)
if latest_version:
version_gap = calculate_version_gap(component['version'], latest_version)
if version_gap['major'] > 2:
health_score -= 20
concerns.append(f"Running version {version_gap['major']} major releases behind")
elif version_gap['minor'] > 10:
health_score -= 10
concerns.append(f"Running version {version_gap['minor']} minor releases behind")
return {
'score': max(0, health_score),
'rating': categorize_health(health_score),
'concerns': concerns,
'recommendation': generate_health_recommendation(health_score, concerns)
}Health assessment identifies components requiring proactive replacement before they become liabilities. Component scoring under 50 (poor health) should be scheduled for migration even if no immediate vulnerability exists.
Action Frameworks
Assessment identifies problems. Action frameworks define responses.
Vulnerability Remediation Actions
Immediate remediation (Critical/High priority):
- Emergency change request
- Deploy patch or workaround within 24-72 hours
- Coordinate with application teams for expedited deployment
- Verify remediation completion through SBOM re-analysis
- Document incident timeline and response metrics
Scheduled remediation (Medium priority):
- Include in next scheduled maintenance window
- Standard change request process
- Deploy within 30-day SLA
- Batch multiple medium-priority fixes for efficiency
- Monitor for changes in risk profile while scheduled
Backlog remediation (Low priority):
- Add to product backlog for next release cycle
- No emergency handling required
- Deploy within 90-day target
- Acceptable to defer if higher priorities emerge
- Periodic review ensures not forgotten
Accept risk (Rare exception):
- Document explicit risk acceptance
- Require approvals (CISO, product owner)
- Define compensating controls
- Set time limit and review date
- Document justification (VEX not_affected, exploitation impractical, etc.)
Supplier Management Actions
Excellent suppliers (score 80+):
- Maintain relationship
- Provide positive feedback
- Consider for expanded role in portfolio
- Use as reference for other suppliers
Good suppliers (score 60-79):
- Continue relationship
- Identify specific improvement areas
- Provide constructive feedback
- Set improvement expectations at next review
Marginal suppliers (score 40-59):
- Escalate concerns to supplier management
- Develop improvement plan with milestones
- Increase oversight and monitoring
- Begin evaluating alternatives
- Consider probationary period with clear expectations
Poor suppliers (score under 40):
- Immediate escalation to executive level
- Formal remediation requirements
- Active alternative vendor search
- Plan transition timeline
- Do not expand relationship or new purchases
License Remediation Actions
Violations:
- Immediate stop-use of violating component
- Identify replacement component with acceptable license
- Implement replacement in next emergency patch
- Verify removal through SBOM re-analysis
- Document in compliance audit trail
Requires review:
- Submit to legal team with context
- Provide technical details (usage patterns, linking method, distribution model)
- Await legal determination
- Implement legal team recommendations
- Document approved usage or remediation
Missing license information:
- Contact supplier requesting license clarification
- Research component repository for license files
- If license remains unclear, treat as high-risk and plan replacement
- Document investigation efforts
- Escalate persistent ambiguity to legal team
End-of-Life Migration Actions
Approaching EOL (6-12 months):
- Research migration options (upgrade path vs. alternative component)
- Estimate migration effort and business impact
- Schedule planning for next quarter
- Allocate resources in upcoming budgets
- Communicate timeline to stakeholders
Imminent EOL (0-6 months):
- Prioritize migration in current quarter
- Begin implementation in development/staging
- Test compatibility and performance
- Prepare production migration plan
- Coordinate deployment window
Past EOL:
- Emergency priority for migration
- Accept technical debt of parallel implementation if needed
- Deploy first available working replacement
- Continuous monitoring for vulnerabilities (no patches coming)
- Document incident and process improvements
Integration with Operational Systems
Assessment and action shouldn't exist in isolation. Integrate with operational workflows.
Ticketing system integration:
def create_remediation_tickets(assessment_results):
"""Automatically create tickets from assessment findings"""
for finding in assessment_results['high_priority']:
ticket = {
'project': 'SECURITY',
'type': 'Vulnerability',
'summary': f"{finding['cve']} in {finding['product']}",
'priority': map_to_jira_priority(finding['priority']),
'description': format_vulnerability_description(finding),
'assignee': lookup_product_owner(finding['product']),
'labels': ['sbom-finding', 'vulnerability', finding['priority'].lower()],
'due_date': calculate_due_date(finding['sla_hours']),
'custom_fields': {
'sbom_reference': finding['sbom_url'],
'cve_id': finding['cve'],
'affected_component': finding['component']
}
}
jira.create_issue(ticket)Dashboarding and reporting:
def generate_executive_dashboard():
"""Create executive summary of SBOM-derived risks"""
return {
'vulnerability_summary': {
'critical': count_by_priority('CRITICAL'),
'high': count_by_priority('HIGH'),
'medium': count_by_priority('MEDIUM'),
'low': count_by_priority('LOW')
},
'supplier_risk': {
'excellent': count_suppliers_by_rating('excellent'),
'good': count_suppliers_by_rating('good'),
'marginal': count_suppliers_by_rating('marginal'),
'poor': count_suppliers_by_rating('poor'),
'highest_risk_suppliers': get_top_risk_suppliers(5)
},
'compliance': {
'license_violations': count_license_violations(),
'missing_sboms': count_products_without_sbom(),
'eol_components': count_eol_components()
},
'trends': {
'vulnerability_resolution_time': calculate_avg_resolution_time(),
'sbom_coverage': calculate_sbom_coverage_percentage(),
'supplier_quality_trend': calculate_supplier_quality_trend()
}
}Incident response integration:
def assess_incident_impact(incident_cve):
"""Rapid SBOM-based incident impact assessment"""
# Query SBOM repository
affected_products = query_products_with_component(
cve=incident_cve,
deployment_status='production'
)
# Categorize by exposure
impact = {
'internet_facing': [],
'internal': [],
'development_only': []
}
for product in affected_products:
deployment = get_deployment_details(product)
if deployment['internet_facing']:
impact['internet_facing'].append(product)
elif deployment['environment'] == 'production':
impact['internal'].append(product)
else:
impact['development_only'].append(product)
# Generate response plan
return {
'affected_products': affected_products,
'impact_categorization': impact,
'recommended_actions': generate_response_actions(impact),
'estimated_remediation_time': estimate_patching_timeline(affected_products)
}Measuring Assessment and Action Effectiveness
Track metrics demonstrating program impact.
Decision quality metrics:
False positive rate: Vulnerabilities assessed as high priority but investigation reveals not actually exploitable. Target: under 10%. High rate suggests assessment framework needs refinement.
False negative rate: Vulnerabilities assessed as low priority but subsequently exploited or cause incidents. Target: under 5%. High rate indicates assessment misses important risk factors.
Remediation efficiency: Percentage of remediations completed within SLA. Target: 90%+. Low achievement suggests unrealistic SLAs or resource constraints.
Time to action: Days from assessment to remediation completion. Target varies by priority (Critical: under 3 days, High: under 7 days, Medium: under 30 days).
Risk reduction: Decrease in vulnerability counts and risk scores over time. Should trend downward as program matures and backlogs are addressed.
Common Assessment Pitfalls
Pitfall: Analysis paralysis Endless assessment without action. Perfect risk calculations while vulnerabilities remain unpatched.
Prevention: Set time limits on assessment. "Decision required within 4 hours for critical, 24 hours for high." Imperfect action beats perfect inaction.
Pitfall: Ignoring business context Purely technical risk scoring without business impact consideration. Treat all products equally when some are revenue-critical and others are internal tools.
Prevention: Incorporate business criticality into risk algorithms. Critical customer-facing systems get priority over internal administrative tools.
Pitfall: No feedback loop Assessments drive actions but outcomes don't inform future assessments. Learning doesn't occur.
Prevention: Post-incident reviews. When assessment proves wrong (false positive/negative), analyze why and refine framework.
Pitfall: Siloed assessment Security team assesses vulnerabilities in isolation. No integration with product teams, procurement, legal.
Prevention: Cross-functional assessment workflows. Security provides technical analysis, business provides context, legal weighs compliance, combined input drives decisions.
Next Steps
- Build assessment foundation through Integrate with Tools
- Establish monitoring for Monitor for Updates
- Apply learnings from Use Cases - Vulnerability Management
- Measure effectiveness via Reference - Metrics and KPIs