Cybersecurity is about risk mitigation, understanding the threats and fortifying gaps in networks and devices. Companies and organizations cannot fully protect digital assets unless they know what software applications you have connected to enterprise networks and devices. With the growth of supply chain attacks, and record number of breaches both to corporations and government agencies, there are efforts underway for more transparency, and accountability of such assets. One initiative is the call for a “Software Bill of Materials” (SBOM).
On May 12, 2021, the White House issued a formal executive order (EO) 14028 aimed at fortifying the nation’s cybersecurity posture, including enhancing software supply chain security. In relation to EO, National Telecommunications and Information Administration (NTIA) issued a notice for public comment in its mandate to publish a list of minimum elements for an SBOM. NTIA proposed a definition of the “minimum elements” of an SBOM that” builds on three broad, inter-related areas: data fields, operational considerations, and support for automation.” Federal Register :: Software Bill of Materials Elements and Considerations
And in October 2021, DHS Software Supply Chain Risk Management Act of 2021 was passed by the U.S. House of Representatives in a 412-2 vote. Under the bill, the Under Secretary for Management will be required to issue department-wide guidelines for identifying materials used in software development. The new guidelines will help modernize DHS’ acquisition process and strengthen cybersecurity by requiring DHS contractors to submit software bills of material identifying the origins of each component in the software provided to the agency. Rep. Ritchie Torres, vice chairman of the House Homeland Security Committee and sponsor of the bill. noted, “As cyberattacks become increasingly frequent and sophisticated, it is crucial that DHS has the capacity to protect its own networks and enhance its visibility into information and communications tech or services that it buys.” DHS Software Supply Chain Cybersecurity Act Passes House Vote; Rep. Ritchie Torres Quoted (executivegov.com)
What is a “Software Bill of Materials” (SBOM)
According to the National Telecommunications and Information Administration (NTIA) at the Department of Commerce, A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. Or more specifically, A SBOM is a “formal record containing the details and supply chain relationships of various components used in building software. These components, including libraries and modules, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.”
SBOMS and Risk Management
In the past, much of cybersecurity has been reactive and current operational trends are to be strategic and proactive. Because of the expansion of the digital attack surface and new sophisticated hacker tools, companies and agencies need to rely more on informed risk management. That requires a more active application of the NIST Framework that incudes detection, recognition, identification, response, and remediation of threats.
Advancement in area of predictive data analytics and diagnostics to index, provide network traffic analysis, and protect against further incursions is already becoming a growing area of concentration. Also, information security leaders need understand the risks to their business resulting from new vulnerabilities, license risks and supply chain security incidents. These are all areas where SBOM can contribute to security postures.
Dr. Allan Friedman leads the Department of Homeland Security CISA’s efforts to coordinate SBOM efforts inside and outside the USG and around the world. His focus has been on scaling and operationalizing SBOM in the context of the vulnerability and security ecosystem. In an interview with NextGov, Dr. Friedman said CISA is looking to be “a little more proactive around managing the vulnerability ecosystem. The industry buzzword for the past few years is to ‘shift left,’ and to sort of help us understand not just how to deal with vulnerabilities, but what we can do to make managing them more effective and ultimately to eliminate them or reduce them in the ecosystem.” To operationalize SBOM means to “make sure that we can integrate this into daily operation, into existing tools, and the final status of hooking it into the existing vulnerability and cybersecurity ecosystem.” The Government’s Software Transparency Journey Moves from Plan to Practice – Nextgov
According to the NTIA Benefits of SBOMs can accrue to both software suppliers and consumers. They include: Identifying and avoiding known vulnerabilities, Quantifying and managing licenses, Identifying both security and license compliance requirements, Enabling quantification of the risks inherent in a software package, Managing mitigations for vulnerabilities (including patching and compensating controls for new vulnerabilities), Lower operating costs due to improved efficiencies and reduced unplanned and unscheduled work. sbom_faq_-_20201116.pdf (ntia.gov)
The NTIA suggests that SBOM baseline component information should include:
Dmitry Raidman is CTO, Cybeats is a top expert on SBOM. He elaborated why we need a cybersecurity software standard for tracking and transparency. “Once you know precisely what ingredients are used in your software, you can get a clear vision of the risk factor this specific bill of materials brings to your environment when it runs. What’s more, the risk factor can change whether or not something in the software bill of materials changes since new vulnerabilities are discovered on a daily basis. The only way to know if you are affected is by having this level of transparency.”
At a more granular level, Dmitry also offered additional specific use cases for SBOM: transparency into software provenance and pedigrees, continuous security risk assessment, access control and sharing with customer who can access and what data can be seen, threat intelligence data correlation, software composition license analysis and policy enforcement, software component end of life monitoring, SCRM – Supply Chain Risk Management and supply chain screening, SBOM documents repository and orchestration, efficiency in data query and retrieval. Those capabilities that Dmitry describes can seamlessly integrate into CI/CD processes and enable businesses to budget and forecast costs for cybersecurity maintenance cycles to properly budget and allocate resources accordingly. Dmitry Raidman Articles and Insights (devops.com)
The global firm KPMG also sees SBOM as an enabler for organizations to leverage contents in work flows for application security, threat intelligence, the Security Operation Center (SOS) and for developers and internal audit teams. Clearly, SBOM have many utilities for risk management in establishing a cybersecurity posture. What are SBOMs? (kpmg.us)
According to Dr. Susan Miller, executive editor at GCN “organizations looking to find and manage vulnerabilities check the National Vulnerability Database for Common Vulnerabilities and Exposures, but without a SBOM, there’s no way to identify the components of a software package. A SBOM would give developers, buyers and users of software a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks” Protecting the supply chain with a software bill of materials — GCN
A particular challenge in 2021 has been to address vulnerabilities in the supply chain. Last summer, the Department of Homeland Security DHS posted an RFI for Cyber Supply Chain Risk Management. It stated that “The government seeks information about capabilities that enable identification and mitigation of information and communications technology (ICT) products (e.g., hardware, software, devices) that may contain potentially malicious functionality, are counterfeit, are vulnerable due to deficient manufacturing practices within the supply chain or are otherwise determined to enable or constitute a threat to the United States.” . FBODaily.com | FedBizOpps: SRCSGT | D | Cyber Supply Chain Risk Management – CSCRM RFI | 19-Aug-18 – FBO#6113
SBOM can add value to public and private sector initiatives to protect the supply chain. Supply chain breaches are often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks. SBOMs can allow for discovery and mitigation of software security risks early in the production cycle. By identification and attestation of software package components up front, SBOM can help assess unknown risks, and transition them to known risks.
SBOM can be used a cybersecurity risk management tool for helping best secure cyberspace, including supply chains. Its value goes beyond that for management and operations of any components in the digital inventory. It is still early in the cycle of SBOM adaptation but more transparency and accountability for software security and optimization is a good thing for both the public and private sectors.
“Gartner estimates that 70 to 80 percent of modern software incorporates open source libraries (OSS) or components from third-party upstream suppliers into product design. These pre-made constructs increase productivity and shorten development time—but they also carry risk into the final product. Like any software module, these software ingredients can have vulnerabilities that emerge at any time, making the overall software product less secure over time.” SBOM Studio
As your business grows, safeguarding the applications and systems it relies on involves a unique approach that balances accessibility with cybersecurity. At Raptor IT Consultants, our mission is to establish a foundation for your network resources that empowers users to work efficiently, while offering scalable, managed IT services that complement any business model; affordably. #raptoritnetwork