Unlocking Business Workflow Security: Introducing Workflow Bill of Materials (WBOM)

An artistic collaboration between Human Cognition and Artificial Intelligence | By Sean & TAPE3


Explore the cutting-edge concepts of Software Bill of Materials (SBOM) and the newly coined Workflow Bill of Materials (WBOM) in our latest newsletter article, where we unravel how these strategies can revolutionize operational transparency and business security.

Let TAPE3 read this edition of the newsletter to you 🎧 🤖 ⇩


In the realm of cybersecurity and business operations, two acronyms exist — one has been gaining significant traction: SBOM (Software Bill of Materials) and the other, WBOM™ (Workflow Bill of Materials™) is new on the scene. While SBOM is a well-known term in the tech world, WBOM is a newer concept coined by Sean Martin on a podcast (watch episode) that extends the idea of the software-focused SBOM to encompass the business logic embodied within entire business workflows. This article explores the definitions, challenges, and solutions associated with SBOM and the newly introduced WBOM — both in the context of modern business practices.

Unpacking the Essentials: SBOM Explained

The Software Bill of Materials (SBOM) is essentially a detailed list of all components that are part of a piece of software. An SBOM provides comprehensive information about each component, including its source, version number, and other relevant data necessary for people and systems to validate the integrity of the full software package. This is akin to a list of ingredients that one might find on food packaging or a list of food suppliers at a restaurant. It describes what's inside, providing transparency and insight into the software's composition.

Introducing a Novel Concept: WBOM Defined

On the other hand, the Workflow Bill of Materials (WBOM) is a broader concept Sean coined. It extends the SBOM's idea to include all systems and services that are pieced together to create a complete business workflow. A WBOM maps out the entire operational process, documenting every technology, service, and logic flow involved in business operations. It's like having a blueprint of an entire manufacturing process, detailing each machine, tool, and operator involved.

Tackling Invisibility: The Challenges Ahead

The primary challenge that SBOM addresses is the lack of transparency in software components, which can lead to significant security vulnerabilities. In today's software development landscape, applications are often built using a mix of custom code and third-party components, including open-source libraries. While this practice accelerates development and time to market, it also introduces a myriad of unknowns. Without a clear understanding of these components, it's nearly impossible to identify and mitigate potential security risks. This lack of visibility becomes a major concern, especially when vulnerabilities in widely used components are discovered.

WBOM tackles a broader challenge. Modern business processes are increasingly complex, often involving a myriad of interconnected systems and services. This complexity can create security blind spots, where vulnerabilities remain hidden within the intricate web of operations. Without a comprehensive understanding of how different parts of a business process interact, companies can be exposed to risks that are difficult to anticipate or detect. The challenge lies in gaining visibility into these operational workflows to identify and secure potential weak points.

Charting the Path to End-to-End Security: Implementing SBOM and WBOM

Addressing these challenges starts with the implementation of SBOM. By maintaining an SBOM, organizations gain a clear view of the software components they use. This transparency allows them to quickly respond to security alerts, patch vulnerabilities in components they rely on, and make informed decisions about the security of their software supply chain. It's a proactive measure that can significantly enhance an organization's cybersecurity posture. For instance, when a vulnerability in a common open-source library is disclosed, companies with a well-maintained SBOM can swiftly identify if they are affected and take necessary action by patching the application or implementing other mitigating controls.

However, SBOMs are just one piece of the puzzle. The introduction of WBOM adds another layer of protection by expanding this visibility to entire business processes. With a WBOM, organizations can map out their operations and identify how different technologies and services interact. This comprehensive view allows companies to spot vulnerabilities not just in their software but in their operational workflows as well. It enables a holistic approach to security, where risks can be assessed and mitigated at every level of operation, protecting the actions and transactions from business logic attacks and compromise.

For example, a WBOM could reveal that certain data is being transmitted between two systems without adequate authentication or encryption. This vulnerability might be overlooked in a traditional security assessment. By identifying these gaps, businesses can implement targeted security measures, such as introducing authentication schemes and encryption protocols or redesigning parts of their workflow to minimize risk.

Implementing SBOM and WBOM also helps in regulatory compliance and risk management. As governments and regulatory bodies increasingly focus on cybersecurity, having detailed documentation of software components and business workflows can demonstrate compliance with security standards. Moreover, in the event of a security incident, having an SBOM and WBOM can expedite the response process, enabling quicker identification of the breach's source and scope.

The adoption of SBOM and WBOM are not isolated strategies but integral parts of a broader cybersecurity framework. This is where frameworks like the Cybersecurity Maturity Model Certification (CMMC) play a crucial role. CMMC, a standard for implementing cybersecurity across the defense industrial base, emphasizes the importance of understanding and managing not only the software components (as with SBOM) but also the complex interconnections within business operations, akin to the philosophy behind WBOM.

Incorporating CMMC into their broader information security strategy, businesses can align their cybersecurity practices with a recognized standard, ensuring a robust and well-rounded security posture. CMMC’s focus on varying levels of cybersecurity maturity and processes dovetails with the insights provided by SBOM, enabling businesses to not only react to threats but proactively manage their cybersecurity risks. This same model, while not built specifically for it, might be applicable for the WBOM cases as well. This is where I’d like some input from the community. Please share your thoughts with Sean and me when you have a moment

Beyond Compliance: The Strategic Imperative of SBOM and WBOM

SBOM and WBOM represent critical tools in the arsenal of modern businesses aiming to fortify their cybersecurity posture. While SBOM provides much-needed transparency in software components, WBOM broadens this scope to encompass entire business workflows. Together, they address the dual challenges of software and operational security, offering comprehensive solutions that enable businesses to stay ahead of potential risks. In an era where digital threats are increasingly sophisticated and pervasive, embracing SBOM and WBOM is not just a best practice; it's a necessity for businesses seeking to navigate the complex cybersecurity landscape confidently.

If this topic is of interest to you, please listen to the "The Importance of Software Bill-of-Materials (SBOMs) | ITSPmagazine Event Coverage: RSAC 2023 San Francisco, USA | A Conversation with Allan Friedman and Sean Martin" episode and the "Beyond Traditional Software Security: Let's Explore the Concept of a Workflow Bill of Materials (WBOM) | A Conversation with Francesco Cipollone | Redefining CyberSecurity Podcast with Sean Martin" episode.


What's your perspective on this story? Want to share it with Sean on a podcast? Let him know!


This article represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.

Sincerely, Sean Martin and TAPE3

Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" Newsletter.

Want to comment on this topic, you can connect with Sean and the community in this LinkedIn post: https://www.linkedin.com/pulse/unlocking-business-workflow-security-introducing-bill-sean-martin-i8d1e


Sean Martin is the host of the Redefining CyberSecurity Podcast, part of the ITSPmagazine Podcast Network—which he co-founded with his good friend Marco Ciappelli—where you may just find some of these topics being discussed.

Or, visit Sean’s personal website.