Following an increase in software supply chain attacks, including high-profile strikes against government agencies, President Biden issued Executive Order 14028 on Improving the Nation’s Cybersecurity on May 12, 2021. Calling for rapid change, the Executive Order charges multiple government agencies with enhancing the security and integrity of the software supply chain.
Meeting this challenge requires new approaches to cybersecurity, and one emerging solution is a software bill of material (SBOM) that tracks and shares a software’s provenance, components, and supply chain relationships.
The urgency to standardize SBOMs across the entire software industry is accelerating, bringing sweeping changes to how software producers, and consumers and operators deal with vulnerability disclosures and protect their systems - more so given the likely impending regulatory environment. In fact, some government agencies are already mandating SBOMs for any organizations with which they do business.
In a recent webinar organized by Idaho National Labs, tech giants, Microsoft and Google sat down to discuss the benefits of adopting SBOMs, common SBOM use cases, and the leading tools we’ll all soon need to adapt to the evolving software environment.
To understand how these industry leaders are positioning the issue and their companies for the coming SBOM future - and what this future means for anyone building, selling, or using software - let’s take a look at the 5 key takeaways from their meeting.
Microsoft’s Adrian Diglio (Principal PM Manager for Secure Software Supply Chain) begins by detailing how an SBOM’s benefits depend on whether you are a software producer or consumer.
As a software producer, generating SBOMs affords the following advantages:
• Provides comprehensive dependency inventory. While current software composition analysis tools provide an inventory of dependencies during build, SBOMs can associate a dependency with each deployed version of your software, widening your visibility for a more complete, current baseline inventory.
• Creates greater transparency. Not only does an SBOM give producers the confidence to ship their software to production, but delivering SBOMs to your customers increases transparency into your software build and business, the key to building trust and consumer confidence.
• Enables software integrity validation. If you are using software that is not code-signed, an SBOM can provide software integrity validation scenarios that allow organizations to detect unauthorized changes to their software and firmware components.
• Helps ensure compliance. In a shifting regulatory environment aiming to protect the software supply chain, generating SBOMs helps producers comply with mandatory requirements.
As a software consumer, adopting SBOMs has equally important benefits, including:
• Answering key questions. Managing risk across a range of operational software is never easy, especially when you discover vulnerable dependencies. SBOMs make supply chain dependencies more transparent so consumers can answer two critical questions right away - “Am I affected?” and “What is affected?
• More accurate and timely risk assessment and response. SBOMs can quickly and accurately pinpoint known vulnerabilities in your architecture, so you can begin to look for the right patches right away and shore up defense s before the vulnerability can be exploited.
• Ensuring legal and license compliance. With an SBOM report in hand, not only will consumers have a view into their software vulnerabilities, but it is the basis for developing a security posture that consistently maintains legal and licensing compliance.
Microsoft walks us through their open-source, cross-platform SBOM generator that analyzes software builds and produces a list of dependencies. Here are some of its more notable features:
• A general purpose tool. The Microsoft SBOM generation tool supports the detection of many different types of dependencies, including transient dependencies, and conforms to the minimum elements expected of an SBOM report.
• Mapping compliance. The generation tool maps SBOMs to both the mandatory compliance specifications of the Executive Order, as well as optional ones for more enhanced security.
• A more comprehensive SBOM. For more complex or layered builds, the Microsoft SBOM generator can also reference the SBOMs of existing dependencies, generating a complete and unified dependency tree across all the various, cumulative builds of an asset.
If a consumer wants to make use of the SBOMs produced by a generation tool to determine what vulnerabilities exist in their software environment, along with their associated threat level, they can deploy an SBOM consumption tool. An SBOM report can be fed into a consumption tool to provide a complete view of each dependency and its current associated risk.
In the webinar, Microsoft showcases Cybeats SBOM Studio as a leading SBOM consumption tool that provides licensing intelligence for SBOMs and comprehensive and robust risk identification and assessment of known vulnerabilities.
And given the sheer number of dependencies in a software build, product and security leaders also need consumption tools that are thorough and easy to use. SBOM Studio packages all the critical information you need in a user-friendly and visual dashboard interface, streamlining the management of SBOMs so you can more efficiently assess and mitigate risks to your software security.
Isaach Hepworth (Group Product Manager) from Google takes over, highlighting the utility of SBOMs by looking at individual use cases which spur SBOM production and proliferation, underscoring why SBOMs are so necessary.
• If you produce software: software builds need to be compliant and secure; by keeping track of all dependencies during and after development, SBOMs make both licensing compliance and vulnerability monitoring faster, easier and more accurate.
• If you choose software: security and compliance are the two overriding factors when choosing software. As a granular inventory of dependencies, an SBOM is the blueprint to conduct a targeted security analysis of a potential purchase and to assess its compliance to any internal or external existing policy.
• If you operate software: Software is constantly evolving, so its risks must be continually managed and mitigated. With SBOMs, those operating software have better insight into asset vulnerability and its potential threat to their wider software environment, helping users prepare appropriate responses and execute independent mitigations.
Pursuant to the Executive Order, the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), was charged with determining the minimum elements for an SBOM.
In its July 2021 report, NTIA set forth these elements as the essential pieces that should support basic SBOM functionality and that will serve as the foundation for an evolving approach to software transparency.
These minimum elements comprise three broad, interrelated areas:
• Data fields. The documentation of baseline information about each component that should be tracked.
• Automation Support. The support of automation, including via automatic generation and machine-readability, to allow for scaling across the software ecosystem.
• Practices and Processes. How the operations of SBOM requests, generation and use are defined.
Interestingly, the NTIA acknowledged “the accommodation of mistakes”, a pragmatic recognition that mistakes of good faith are inevitable when new practices are being collaboratively implemented across a vast industry under real timelines with short runways. This welcome approach to change management understands a certain latitude to software producers and SBOM consumers will be needed in the coming years.
Preparing for the coming change
When Microsoft and Google put aside their differences and rally around a common concern, we should pay close attention. And with industry stakeholders quickly driving SBOM adoption and regulation, the time for action is now.
SBOM compliance will likely soon be required up and down the software chain, so companies need to position themselves in a changing, tumultuous software landscape. Without sufficient preparation, companies will be more than just vulnerable to increasingly sophisticated attacks – they will also struggle to comply and fall behind those competitors that can.
Recognized by IT consultant Gartner as a leading SBOM management tool to conduct supply chain screening and showcased by two of the biggest tech companies in the world, Cybeats SBOM Studio is ready to help you meet these challenges head on.
March 19, 2024
Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.
Read More →March 4, 2024
As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain
Read More →December 15, 2023
Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.
Read More →