How a software bill of materials can help solve our supply chain woes

By Matt Howard

By Matt Howard

|

As the software equivalent of a list of ingredients seen on food labels, an SBOM would reveal the provenance of direct and indirect dependencies contained in a particular piece of software.

software (whiteMocca/Shutterstock.com)
 

The U.S. is facing a reckoning with regard to cybersecurity. Government agencies, hospitals, energy and oil pipeline companies are struggling to fend off ransomware attacks. Nation-states have compromised the software supply chain via the SolarWinds and Pulse Connect Secure attacks. If that weren't bad enough, a new Senate report found that two years after the State Department, Social Security Administration and five other agencies failed to meet basic cybersecurity standards, there had been only "minimal improvements" in the security efforts.

Government officials are feeling the heat and responding. Lawmakers have proposed more funding to respond to big cyberattacks, and the Biden administration released a cybersecurity Executive Order with security requirements to protect federal networks, including security measures for critical software and the minimum elements for a software bill of materials (SBOM).

Despite the good intentions of the EO, it's hard not to be cynical, given how the machinery in Congress runs. Many of the EO provisions will require funding and support that doesn't seem feasible anytime soon. For example, incremental funding will be required for additional multi-factor encryption and endpoint detection technologies that will be necessary to comply with the EO.

Other elements of the EO are more likely to see the light of day. Creating a Cyber Safety Review Board to look into cyberattacks has precedent in the National Transportation Safety Board, which investigates all major transportation disasters. Establishing SBOMs to improve software supply chain transparency for both technology vendors and government customers is also within reach. Code that is compromised during the build phase of the software development life cycle is increasingly at the center of today's cyberattacks.

Furthermore, attacks targeting open-source supplier ecosystems are also rapidly increasing, as seen recently by the widespread "dependency confusion" attacks, which take advantage of a flaw in the way some public open-source repositories house software packages. It's never been more important to understand the quality and security of upstream code that feeds digital supply chains and is shipped into downstream production environments. Transparency with respect to this supply chain dynamic is critical because of the pace at which new zero-day vulnerabilities are constantly being discovered and exploited, as seen with the recent Kaseya ransomware exploit.

In light of these realities, the SBOM provision of the EO makes a great deal of sense because it would cost-effectively improve transparency for key stakeholders up and down the digital value-stream. As the software equivalent of a list of ingredients seen on food labels, an SBOM would reveal the provenance of direct and indirect dependencies contained in a particular piece of software. This information would expose areas of potential weakness and increase the trust level for the tech industry and the federal government, which heavily rely on open-source components to run business operations and build products today.

Until very recently, a big hurdle to broad adoption of SBOMs in federal software supply chains was the lack of formal guidance and standards. This has now been resolved with the National Telecommunications and Information Administration's July release of SBOM minimum elements. Standardization efforts have been underway for years, so the effort is not starting from scratch. There are at least three SBOM data elements standards efforts: Software Identification (SWID) Tagging championed by the National Institute of Standards and Technology, the Software Package Data Exchange, sponsored by The Linux Foundation; and CycloneDX, sponsored by a group of vendors including Sonatype and Veracode with support from other companies.

SBOM skeptics have raised the possibility of unintended consequences associated with too much transparency pertaining to third-party dependencies commonly deployed within mission critical software. If good actors have transparency, so do bad actors. Indeed, information is powerful and it's potentially a double edged sword. No one is naive enough to think an SBOM is a magic bullet for solving all cybersecurity issues, but most software engineering and security professionals generally agree that it's an important step in the right direction.

Cybersecurity is an incredibly complicated issue, and dramatically improving one's security posture is no easy undertaking. It's incredibly hard work that involves technology, people and process. Getting it right will require years of additional effort and substantial investment. Despite this sobering reality, I applaud the EO, and specifically the SBOM mandate. An SBOM requirement vastly improves the government's security posture and is the first step in keeping untrusted software out of the critical systems that underpin federal government operations and securing government systems from nation-state attackers.

NEXT STORY: Census servers hacked in 2020

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.