Reducing SBOM Complexity with Open-Source Low-Code

/0 Comments/in , , , /by

Introduction

As enterprises continue their digital transformation journeys, the complexity of managing software supply chains has increased dramatically. Software Bills of Materials (SBOMs) have become critical tools for transparency and security, but their management presents significant challenges. This report explores how open-source low-code platforms and AI application generators can potentially simplify SBOM management while maintaining robust security practices.

Understanding Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) is a comprehensive inventory that details all software components used in an application, including source code, libraries, packages, and modules, along with their corresponding version numbers, licenses, and other relevant metadata. The purpose of an SBOM is to ensure transparency and traceability within the software supply chain, allowing organizations to identify and address potential security vulnerabilities and compliance risks.

Modern applications are complex assemblies of third-party software and proprietary code, with as much as 80% of code coming from third-party sources. This complexity makes SBOMs essential for maintaining visibility into the development environment, especially as software supply chains become an expanding attack surface.

SBOMs have gained significant importance following high-profile supply chain attacks like SolarWinds, prompting the US government to mandate their use as an industry-standard solution. Organizations that effectively implement SBOM practices can better manage vulnerabilities, improve compliance, and strengthen their overall supply chain security posture.

Regulatory Requirements and Importance

As of 2025, SBOM generation has become a core development step that teams must complete to build and ship software safely. Regulations across multiple sectors and geographies increasingly require detailed software inventories or SBOMs. These regulatory requirements reflect growing concerns about software supply chain security and the need for greater transparency in software composition.

Challenges in SBOM Management

Creating an SBOM is only the first step in maintaining software security. Organizations face several challenges in managing SBOMs effectively, particularly for large software portfolios:

Complexity of Modern Software Supply Chains

Modern software development involves numerous dependencies, making it difficult to track all components used in applications. As noted by the National Security Agency (NSA), organizations need a comprehensive approach to SBOM management that encompasses integration with other systems, supporting access to data sources, and maintaining a scalable architecture.

Accuracy and Maintenance Challenges

Identifying all software components and keeping track of updates and patches requires a systematic approach. SBOM management involves generating, storing, analyzing, and monitoring SBOM documentation throughout the application lifecycle. An SBOM has little value when “left dormant within the build directory where it was generated”.

Open-Source Low-Code Platforms as a Solution

Low-code platforms offer a potential solution to simplify SBOM management by reducing the amount of custom code that needs to be tracked and secured.

Leading Open-Source Low-Code Platforms

The open-source low-code ecosystem has matured significantly by 2025, offering several robust options:

  1. Appsmith: A platform with 35.2k GitHub stars that enables rapid development of internal applications through drag-and-drop widgets and inline JavaScript customization. It supports integration with diverse databases and APIs and provides 256-bit encryption for security.

  2. Budibase: Considered the best open-source, low-code app builder, Budibase allows businesses to create applications by merging databases, spreadsheets, and APIs, with on-premise hosting options using Docker and Kubernetes.

  3. ToolJet: With 33.7k GitHub stars, ToolJet provides a drag-and-drop interface for building custom internal tools with JavaScript and Python support. It allows developers to reuse React components easily and offers security, scalability, and multi-environment support.

  4. Saltcorn: A fast, free, open-source low-code solution enabling users to create web and mobile applications with a drag-and-drop builder.

  5. Additional Options: Other notable platforms include Frappe, Corteza, ILLA, Noodl, and Lowcoder.

SBOM Benefits of Low-Code Development

Open-source low-code platforms can simplify SBOM management in several ways:

  1. Standardized Components: Low-code platforms typically use standardized libraries and components, reducing the variety of dependencies that need to be tracked.

  2. Transparent Supply Chain: Since these platforms are open-source, their components are more transparent and can be more easily included in an SBOM.

  3. Reduced Custom Code: By enabling rapid development with less custom code, low-code platforms can potentially reduce the overall complexity of an application’s dependency tree.

AI Application Generators and Their Impact on SBOMs

AI-driven code generation offers another approach to simplifying SBOM management while accelerating development.

Automated Project Setup and Dependency Management

AI code generators can automate project setup, configuration management, and dependency installation, potentially creating more standardized and secure applications. They can:

  1. Automate Project Setup: Generate full project scaffolds with pre-configured directory structures for frameworks like React, Next.js, Django, and Express.js.

  2. Manage Configurations: Create configuration files like .gitignore, .env templates, and linting rules automatically.

  3. Handle Dependencies: Install dependencies automatically based on project type, resolve version conflicts, and detect security vulnerabilities in libraries.

Benefits for SBOM Management

AI-driven code generation and optimization offer several benefits for SBOM management:

  1. Pattern Recognition: The ability to automatically identify patterns, dependencies, and best practices in code can significantly improve the quality and efficiency of generated code.

  2. Standardization: AI models can analyze large codebases and learn from existing examples to generate code that adheres to industry standards and best practices, ensuring generated code is of high quality.

  3. Optimization: Machine learning can optimize code for specific hardware architectures or performance constraints, leading to better overall system performance and resource utilization.

  4. Dependency Reduction: AI can potentially help identify and eliminate unnecessary dependencies, reducing the SBOM complexity.

Security Considerations for Citizen Development

While low-code platforms democratize development, they also introduce potential security risks that must be addressed to maintain SBOM integrity.

Risks of Citizen Development

The rise of “citizen developers” – business users creating applications without traditional programming skills – introduces several privacy and security risks:

  1. Compliance Issues: Citizen developers may not be aware of regulations like GDPR, HIPAA, and CCPA that require protection of personal data.

  2. Data Leakage: Non-technical developers may inadvertently expose sensitive data through misconfigured access controls or by sharing data with unauthorized users.

  3. Security Vulnerabilities: Citizen-developed applications may lack proper security measures, making them susceptible to common vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery.

  4. Third-Party Component Risks: Low-code platforms often rely on third-party components whose lineage and security posture are unclear, emphasizing the need for a robust SBOM to understand dependencies.

Mitigation Strategies

Organizations can address these risks while still benefiting from low-code development:

  1. Training and Awareness: Require training programs to educate citizen developers about privacy and security best practices.

  2. Secure By Design: Involve security professionals to provide guidance and design security into low-code applications from the start.

  3. Access Controls: Implement robust access controls and permissions commensurate with data sensitivity and regularly review them.

  4. Integration with IAM: Integrate low-code platforms with Identity and Access Management systems, such as implementing Single Sign-On with Active Directory.

  5. Centralized Governance: Establish a governance framework to centralize control over citizen-developed applications, including approval processes, version control, and compliance checks.

SBOM Management Best Practices in Low-Code Environments

Implementing effective SBOM management in low-code environments requires a structured approach:

1. Generate SBOMs for All Applications

Organizations should generate an SBOM for every application during the build process. This creates an audit trail that helps identify which components are in specific versions of applications, useful when new vulnerabilities are discovered in older components.

Automating the SBOM creation process ensures every build has a corresponding SBOM for compliance purposes. This is particularly important for low-code applications, where the underlying components may change with platform updates.

2. Properly Store and Manage SBOMs

SBOMs should be stored in a centralized repository like Sonatype SBOM Manager, rather than leaving them in build directories. This provides centralized storage for both internally developed and third-party applications.

Organizations should be cautious about sharing SBOMs publicly, as application composition can contain sensitive information. SBOMs can be run through Software Composition Analysis tools to create a list of vulnerabilities in applications.

3. Integrate with Security and Compliance Tools

By analyzing SBOM data across the organization, teams can identify trends such as repeated use of outdated or end-of-life components. This analysis can drive a smarter Software Composition Analysis (SCA) strategy.

While SCA tools are optimized for active development environments and run against build-time artifacts, SBOMs take software transparency further by allowing organizations to track the evolving security posture of software long after release into production.

4. Address the Full Component Scope

When creating SBOMs for low-code applications, organizations should consider multiple layers of components:

  1. Language-level dependencies

  2. Dependencies of language dependencies

  3. System dependencies

  4. The operating system

  5. External cloud services

  6. Compilers

The FDA guidance suggests including “upstream software dependencies that are required/depended upon by proprietary, purchased/licensed, and open-source software,” which typically means the first four categories.

5. Automate SBOM Generation

Several tools are available to automate SBOM generation, which is especially useful for low-code environments:

  1. Commercial options: FOSSA offers a paid version with a free tier that is often sufficient for first submissions and includes vulnerability monitoring.

  2. Platform-specific tools: GitHub supports generating SBOMs automatically, and Amazon Inspect can produce SBOMs from EC2 and Lambda instances.

  3. Container-specific tools: Syft or Docker Scout can generate SBOMs from container images or filesystems.

  4. Integration tools: The Zenity SBOM solution seamlessly integrates with all Low-Code/No-Code development platforms, performing automatic scans of applications and generating comprehensive inventories of all components.

The Role of AI in SBOM Generation and Management

AI can significantly enhance SBOM generation and management, particularly for low-code applications:

Automated Dependency Analysis

AI systems can analyze application code to automatically identify dependencies and generate comprehensive SBOMs, potentially with greater accuracy than manual methods. This is particularly valuable for low-code platforms, where dependencies may not be as explicit as in traditional development.

Vulnerability Prediction

Beyond simply identifying known vulnerabilities in dependencies, AI can potentially predict which components might be vulnerable in the future based on patterns and characteristics. This predictive capability could help organizations proactively manage risk.

Intelligent Component Selection

AI can recommend safer alternative components when potential security issues are detected, helping developers make more informed choices about the libraries and frameworks they incorporate.

Conclusion

The intersection of open-source low-code platforms, AI application generators, and SBOM management represents a promising approach to addressing the growing complexity of software supply chains in enterprise environments.

Key Takeaways

  1. Strategic Value: SBOMs are no longer optional but essential components of software development, especially as regulatory requirements increase.

  2. Simplification Through Low-Code: Open-source low-code platforms can reduce the complexity of software supply chains by standardizing components and reducing custom code.

  3. AI Augmentation: AI-driven code generation and analysis can further enhance the efficiency and security of application development while potentially simplifying SBOM management.

  4. Balanced Approach: Organizations must balance the benefits of citizen development with proper governance and security measures.

  5. Automation First: Automating SBOM generation and management is critical, especially as software complexity increases.

As enterprises continue their digital transformation journeys, the strategic integration of open-source low-code platforms and AI application generators with robust SBOM practices will be essential for maintaining security, compliance, and transparency in software supply chains.

Organizations that successfully implement these approaches will be better positioned to address emerging threats, meet regulatory requirements, and deliver secure, high-quality software at the speed demanded by modern business.

References:

  1. https://www.legitsecurity.com/blog/best-practices-for-managing-maintaining-sboms
  2. https://help.sonatype.com/en/software-bill-of-materials-best-practices.html
  3. https://innolitics.com/articles/sbom-best-practices-faqs-examples/
  4. https://cybellum.com/blog/nsa-on-enhancing-cybersecurity-through-effective-software-bill-of-materials-sbom-management/
  5. https://budibase.com/blog/open-source-low-code-platforms/
  6. https://zenity.io/blog/product/unlocking-supply-chain-transparency-for-low-code-no-code-apps-with-sbom
  7. https://finitestate.io/blog/best-tools-for-generating-sbom
  8. https://www.linkedin.com/pulse/privacy-security-risks-citizen-development-dave-hatter-rnece
  9. https://openssf.org/technical-initiatives/sbom-tools/
  10. https://www.getambassador.io/blog/ai-code-generator-automate-coding
  11. https://scribesecurity.com/sbom/how-to-properly-manage-an-sbom/
  12. https://thectoclub.com/tools/best-low-code-platform/
  13. https://media.neliti.com/media/publications/597615-ai-assisted-code-generation-and-optimiza-963db2b9.pdf
  14. https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms/
  15. https://www.reddit.com/r/nocode/comments/1g6cm9h/open_source_lowcode_platform/
  16. https://www.ox.security/software-supply-chain-security-and-sbom/
  17. https://github.com/antdimot/awesome-lowcode
  18. https://www.sonatype.com/blog/how-sboms-drive-a-smarter-sca-strategy
  19. https://uibakery.io/blog/low-code-app-builders-open-source-and-self-hosted
  20. https://sysdig.com/blog/sbom-in-sysdigs-cnapp-strategy-for-enhanced-security/
  21. https://www.kiuwan.com/blog/a-guide-to-sbom-best-practices-and-fundamentals/
  22. https://fossa.com/blog/5-ways-sboms-can-strengthen-security
  23. https://www.sonatype.com/blog/optimizing-sbom-sharing-for-compliance-and-transparency
  24. https://www.kroll.com/en/insights/publications/cyber/software-bill-of-materials-best-security-practices
  25. https://www.balbix.com/insights/software-bill-of-materials-sbom/
  26. https://www.meti.go.jp/policy/netsecurity/wg1/sbom_tebiki_en.pdf
  27. https://www.revenera.com/blog/software-composition-analysis/the-criticality-of-a-high-functioning-sbom-strategy/
  28. https://www.oligo.security/academy/5-sbom-generation-tools-5-critical-best-practices
  29. https://www.cisa.gov/sites/default/files/2024-08/SECURING_THE_SOFTWARE_SUPPLY_CHAIN_RECOMMENDED_PRACTICES_FOR_SOFTWARE_BILL_OF_MATERIALS_CONSUMPTION-508.pdf
  30. https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf
  31. https://www.darpa.mil/research/programs/enhanced-sbom-for-optimized-software-sustainment
  32. https://en.wikipedia.org/wiki/List_of_low-code_development_platforms
  33. https://devops.com/codenotary-previews-secure-sbom-creation-service/
  34. https://qwiet.ai/platform/sbom/
  35. https://learn.g2.com/citizen-development-challenges
  36. https://www.nocobase.com/en/blog/the-top-12-open-source-no-code-tools-with-the-most-github-stars
  37. https://www.onekey.com/feature/sbom-management
  38. https://www.aikido.dev/use-cases/sbom-generator-create-software-bill-of-materials
  39. https://www.blueprintsys.com/blog/7-reasons-why-citizen-developer-never-materialized
  40. https://pulpstream.com/resources/blog/open-source-low-code-platform
  41. https://jfrog.com/learn/sdlc/sbom/
  42. https://anchore.com/sbom/how-to-generate-an-sbom-with-free-open-source-tools/
  43. https://kissflow.com/faq/challenges-in-managing-citizen-developers
  44. https://github.com/jd-opensource/sbom-tool
  45. https://www.cybeats.com/product/sbom-studio
  46. https://github.com/popey/sbom-vm
  47. https://www.reversinglabs.com/blog/7-things-that-threaten-sbom-success
  48. https://www.isit.fr/fr/article/sbom-reduire-les-risques-open-source-tout-au-long-du-developpement-logiciel.php
  49. https://github.com/microsoft/sbom-tool
  50. https://www.techtarget.com/searchsecurity/tip/How-to-mitigate-low-code-no-code-security-challenges
  51. https://about.gitlab.com/fr-fr/blog/2022/10/25/the-ultimate-guide-to-sboms/
  52. https://anchore.com/blog/sbom-and-policy-as-code-a-developers-guide/
  53. https://www.sonatype.com/blog/5-tools-to-automate-sbom-creation
  54. http://www.arxiv.org/pdf/2502.03975.pdf
  55. https://deepbits.com/sbom
  56. https://www.odoo.com/documentation/14.0/fr/applications/inventory_and_mrp/manufacturing/management/bill_configuration.html
  57. https://www.sw.siemens.com/en-US/technology/service-bill-of-materials-sbom/
  58. https://undark.org/2024/02/20/ai-environmental-footprint/
  59. https://www.styra.com/blog/introducing-policy-sbom/
  60. https://www.odoo.com/documentation/16.0/applications/inventory_and_mrp/manufacturing/management/bill_configuration.html
  61. https://jfrog.com/fr/learn/sdlc/sbom/
  62. https://hbr.org/2023/07/how-to-make-generative-ai-greener
  63. https://github.com/aai-institute/AI-SBOM
  64. https://www.odoo.com/forum/help-1/how-to-configure-customizable-boms-in-odoo-247458
  65. https://www.ptc.com/en/blogs/service/how-service-bill-of-materials-drives-system-of-record-across-platform
  66. https://www.the-esg-institute.org/blog/the-carbon-footprint-of-ai-is-already-upon-us
  67. https://arxiv.org/pdf/2412.10953.pdf
  68. https://www.spectrocloud.com/blog/one-click-sbom-for-your-kubernetes-clusters-with-palette
  69. https://www.linkedin.com/advice/1/how-can-you-minimize-software-component-dependencies
  70. https://assets.kpmg.com/content/dam/kpmg/cy/pdf/KPMG_Shaping%20digital%20transformation%20with%20low-code%20platforms_BF_sec_cy.pdf
  71. https://learn.g2.com/best-ai-code-generators
  72. https://checkmarx.com/product/sbom/
  73. https://www.reddit.com/r/ChatGPTCoding/comments/15h1far/what_ai_solution_should_i_use_to_clean_up_the/
  74. https://beyondplm.com/2022/05/02/low-code-and-how-it-can-impact-plm-and-bom-applications/
  75. https://keploy.io/blog/community/ai-code-generators
  76. https://snyk.io/blog/generate-sbom-javascript-node-js-applications/
  77. https://www.thoughtworks.com/insights/articles/how-to-tame-evil-dependencies
  78. https://blog.se.com/digital-transformation/cybersecurity/2025/02/06/what-are-sboms-software-bill-of-materials/
  79. https://www.wiz.io/academy/top-open-source-sbom-tools
  80. https://www.upwind.io/glossary/the-top-6-open-source-sbom-tools
  81. https://snyk.io/blog/building-sbom-open-source-supply-chain-security/
  82. https://anchore.com/sbom/the-software-bill-of-materials-sbom-through-an-open-source-lens/
  83. https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html
  84. https://www.scanoss.com/post/five-sbom-challenges-in-embedded-development
  85. https://zenity.io/blog/product/unlocking-supply-chain-transparency-for-low-code-no-code-apps-with-sbom
  86. https://www.legitsecurity.com/aspm-knowledge-base/ai-code-generation-benefits-and-risks
  87. https://www.zenity.io/blog/security/preventing-data-breaches-in-user-developed-ai-applications-on-low-code-platforms/
  88. https://ccdcoe.org/uploads/2024/05/CyCon_2024_Beninger_Charland_Ding_Fung-1.pdf
  89. https://www.linkedin.com/pulse/role-ai-sbom-cyber-world-boosting-transparency-security-ashwak-n–dnyxf
  90. https://www.youtube.com/watch?v=DNyZv65YYnQ
  91. https://www.wiz.io/fr-fr/academy/software-bill-of-material-sbom
  92. https://news.mit.edu/2025/explained-generative-ai-environmental-impact-0117
  93. https://www.qodo.ai/blog/best-ai-code-generators/
  94. https://codesubmit.io/blog/ai-code-tools/
  95. https://www.taskade.com/generate/ai-software-development/dependency-management-tool
  96. https://stackoverflow.com/questions/188449/what-are-some-techniques-for-limiting-compilation-dependencies-in-c-projects

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *