Mesopotamian Roots of SBOM

We could blame Hammurabi for software supply chain hacking, but that would be unfair. The problem started long before his time. The die was cast when melting glaciers flooded the Arabian Sea.

‍

‍

Accounting for employees' beer, 3000BCE (image courtesy British Museum)

Since then the best folks have worked diligently developing ways and means for tracking all the logistics necessary to handle all the goods and services needed to run cities and nations. These standards and practices are documented in Cuneiform, cursive, Cobol, and C++ on clay and parchment and punch cards and Cloud. The history of best efforts and common denominators, revisions and revolutions, litter the ground of Mesopotamia and fill the shelves of Harvard.

Still, lets blame poor old Hammurabi.

The time of Hammurabi was not the beginning of the codification of trade, the era itself was an emergent property of long-growing dynamics. The value of that codification of human interaction proved worthwhile at that time in that place, the added effort resulted in more wealth and more productivity. No doubt the Mesopotamian business world was full of second guessing about these newfangled rules, hastily inscribed clay certainly flew. How could goatherds survive if they had to tell their customers where they grazed, for Om’s sake?

It is simple today to say today who was right, but the debates of the day would have been very familiar to those involved with software supply chain changes today. How much productivity does this new accounting cost me? How do I protect my trade secrets? What keeps those running the system from misusing it? What language do we use, and what information does the vendor need to press into clay?

That we stand today on a world built entirely on a geological footing of clay tablets laid down by billions of hands over 500 generations gives some hope to the efforts of the small supply chain tweaks underway today. Software Bills of Materials (SBOMs), Vulnerability eXploitability Exchange (VEX), and other “new” means and methods are informed by 10,000 years of practice. An SBOM carved in a clay tablet would not be unfamiliar to a merchant of the time of Hammurabi.

Nobody was certain that Hammurabi was correct. There was no way to know in advance whether those new rules were a drag on wealth or an opportunity to create more. Just as today it remains to be seen whether software supply chain security brings only more cost or also opens doors to new business.

‍