The need for software transparency

Software transparency provides development teams with a solid understanding of the components within their products. 

As of the time of writing, there are efforts to enhance the transparency of software through efforts such as the Software Bill of Materials (SBOM), led by the National Telecommunications and Information Administration (NTIA). An argument can be made that having an IoT product SBOM is a side-effect of having good development processes in place. 

Transparency also provides a valuable tool within the software supply chain. Providing users with an understanding of the third-party libraries used within a product can provide those users with important security knowledge.

For example, the OpenSSL Heartbleed vulnerability discovered in 2014 resulted in a worldwide, catastrophic security hole exposing the majority of the internet's web servers (read more at https://en.wikipedia.org/wiki/Heartbleed). Many companies did not even know about their exposure to this vulnerability, because they did not adequately track and follow the software supply chain into the end systems on which they depend.

The role of IoT security engineering organizations, therefore, needs to include tracking of open source and other security library vulnerability information, and ensuring the vulnerabilities are mapped to the specific devices and systems deployed in their organizations. Software transparency can enable this.