VW and Rivian announced a strategic partnership to jointly develop new software-based vehicle platforms for both companies. VW will invest up to $5 billion in Rivian, forming a joint venture focused on developing E/E architecture.

Today though, we’re analyzing this partnership from a product security prism – the economics of scale around software development, compliance, and SBOM management. Let’s dive in!

A Primer on SBOM 

A Software Bill of Materials (SBOM) is a comprehensive inventory of all software components used in a product, including open-source and proprietary code. It provides a detailed map of the software supply chain, enabling better management of dependencies, vulnerabilities, and compliance. In automotive, the SBOM needs to cover the entire supply chain, for each brand, model, and trim level, multiplied by the number of markets. The primary building blocks of an SBOM include:

1. Component Name: The exact name of each software component.

2. Version Information: The specific versions of the components used.

3. Supplier Details: Information about the origin or supplier of the software.

4. Dependency Relationships: How different components are interdependent.

5. Licensing Information: Licensing terms associated with each component.

6. Security Vulnerabilities: Known vulnerabilities related to the components.


Five SBOM Insights from the VW and Rivian Partnership

1. Investment and Strategic Partnership

VW’s investment in Rivian signals a strong strategic partnership, likely granting VW some access to Rivian’s software development prowess. Deploying proper SBOM practices helps ensure transparency in the software components being used by both companies, while collaboratively managing updates and security patches.

2. Focus on Electrification and Mobility

The collaboration is aimed at developing next-gen software platforms for electric vehicles and their ecosystem. SBOMs are crucial here as they ensure that the software throughout the ecosystem – charging stations, power infrastructure, grid management companies – is secure and reliable, preventing potential cyber threats and maximizing operations.

3. Shared Platforms and Technology

By sharing platforms and technologies, VW and Rivian can streamline development processes throughout their supply chains. An SBOM allows both companies to have a clear understanding of the software stack and visibility into supply chain security practices, facilitating smoother integration and reducing redundancy.

4. Innovation and Development Efficiency

The partnership aims to leverage combined resources for faster innovation. SBOMs can accelerate this by providing a clear view of reusable components and identifying potential risks early in the development cycle.

5. Regulatory Compliance

Last but not least. As automotive software becomes more complex, compliance with regulations like UN Regulation No. 155, ISO/SAE 21434, Chinese GB Standard, and others, becomes critical. SBOMs play a vital role in ensuring that all software components meet these regulatory standards, thereby reducing legal and compliance risks.


SBOM, much like TARA (Threat Analysis and Risk Assessment), are entry points to a holistic DevSecOps journey. Whether you’re making your first steps in Product Security, or looking for a robust DevOps orchestration platform, we’re here to help.

Our risk-driven, context-based product security platform empowers car makers and suppliers to achieve three key business multipliers:

  1. Risk-driven analytics and automation
  2. Dynamic risk management throughout the product lifecycle
  3. Compliance and regulation automation

Click here to learn more about our SBOM product and schedule an exclusive demo.

Register for our July 9 Expert Panel Discussion around Live Risk with Daimler Truck, ASRG, and Deloitte. Free to attend, yet requires registration.