Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Cybersecurity Leaders Scramble to Decipher SBOM Mandate

The U.S. government’s push for mandatory SBOMs has sent cybersecurity buyers and sellers scrambling to understand the ramifications and prepare for downstream side-effects.

Supply chain attack

The U.S. government’s push for mandatory SBOMs (software bill of materials) to provide software transparency in the face of supply chain attacks has sent cybersecurity buyers and sellers scrambling to understand the ramifications and prepare for downstream side-effects.

Since U.S. president Joe Biden signed the now-infamous cybersecurity executive order in May this year, there have been countless virtual workshops and live panel discussions focused on understanding the basics of SBOMs and how they would help address software supply chain attacks.

At its core, an SBOM is meant to be a definitive record of the supply chain relationships between components used when building a software product. It is a machine-readable document that lists all components in a product, including all open source software, much like the mandatory ingredient list seen on food packaging.

The National Telecommunications and Information Administration (NTIA) has been busy issuing technical documentation, corralling industry feedback, and proposing the use of existing formats for the creation, distribution and enforcement of SBOMs.

This flurry of activity has sent cybersecurity buyers and sellers scrambling to understand the downstream ramifications but, for Sounil Yu, a security veteran with leadership stints at Bank of America, YL Ventures and now JupiterOne, the energy around SBOMs is long overdue.

“I’ve been an advocate for SBOMs for a while. When I was at Bank of America, I was in various [industry financial services] advocating for SBOMs to provide transparency about the software we were buying and using,” Yu said in a recent interview.

Yu pushed the envelope at his new company, JupiterOne, an early-stage startup that sells cybersecurity products. One his first tasks as JupiterOne CISO was to go public with an SBOM as part of the company’s trust and transparency documentation.

“That was actually the first question I asked the team. Do we have an SBOM?  At the time I knew that the SBOM requirement would come out in the executive order so I wanted to be a little bit prepared to know whether or not we could produce an ingredient list of everything in our product,” Yu explained. 

Advertisement. Scroll to continue reading.

Yu viewed the company’s ability to generate an SBOM as a sign of maturity and he wanted to use the document to provide a baseline level of transparency for buyers and, even more importantly, remediate licensing risks and security vulnerabilities during the development process.

While the SBOM is a new acronym on the agenda list for modern CISO meetings, Yu expects activity around software ingredients list to take center stage as a critical part of the open source governance process.

He sees SBOMs not as something futuristic, but more as “completion of the past” where the collection and maintenance of a very thorough inventory of our software assets suddenly becomes realistic.

“Unfortunately we don’t really have that today, at least not at the level of granularity that helps us understand whether or not we’re exposed to a particular vulnerability [in a third-party] component.  When we discover, again, that OpenSS or some open-source package might be vulnerable, we really don’t know our exposure because we don’t have an inventory.”

“This [SBOMs] can help bring a level of completeness to the inventory process,” he said, arguing that security vendors will find multiple side-benefits around software licenses, patching open-source components and dependencies, and maintaining a modern technology stack. 

The JupiterOne security chief urged his CISO peers and entrepreneurs to actively participate in the industry dialog around supply chain security issues and stay current with new standards and formats that will emerge from ongoing consultations.

Robert M. Lee, co-founder and chief executive at industrial cybersecurity vendor Dragos, agrees that SBOMs could provide major benefits to both buyers and sellers but cautioned that it will be “extraordinarily hard to operationalize” once SBOMs identify weaknesses deep in the chain.

During a recent fireside chat at SecurityWeek’s APAC ICS Cyber Security Conference, Lee said he expects SBOMs to help provide visibility to security risk exposure from software but due to the nature of threats in ICS environments, he doesn’t expect it to move the needle on vulnerability management programs.

Lee also sees value for SBOMs in the procurement process where an outdated library or software component would be flagged early in the purchasing process. He also expects the SBOM mandate to help clean up software licensing processes among both buyers and sellers. 

The U.S. Commerce Department’s NTIA has been out front advocating for SBOMs with a wide range of new documentation including:

• SBOM at a glance – an introduction to the practice of SBOM, supporting literature, and the pivotal role SBOMs play in providing much-needed transparency for the software supply chain.

• A detailed FAQ document that outlines information, benefits, and commonly asked questions.

• A two-page overview provides high-level information on SBOM’s background and eco-wide solution, the NTIA process, and an example of an SBOM.

• A series of SBOM Explainer Videos on YouTube.

Separately, the open-source Linux Foundation has released a batch of new industry research, training, and tools aimed at accelerating the use of a Software Bill of Materials (SBOM) in secure software development.  These include documentation on SPDX, a standard for SBOM requirements and data sharing.

The Linux Foundation also published a new SBOM survey highlighting the current state of industry practices to establish benchmarks and best practices; a new SBOM training course on Generating a Software Bill of Materials to accelerate adoption; and SBOM tools to enable software development teams to create SBOMs for their applications

The free online training course on Generating a Software Bill of Materials (LFC192) promises foundational knowledge about the options and the tools available for generating SBOMs and how to use them to improve the ability to respond to cybersecurity needs. 

The open-source group also released SPDX SBOM generator, a command-line tool used to generate SBOM information, including components, licenses, copyrights, and security references of applications.   The tool uses the SPDX v2.2 specification and aligns with the current known minimum elements from NTIA. 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.