Risk comes from everywhere in our networked world, and organizations are facing yet another growing challenge: cybersecurity vulnerabilities not stemming from click-happy end users, but rather from the very software engineers and programmers tasked with building the digital infrastructure we rely on. With software’s pivotal role in daily operations, the need for robust vulnerability management tools and processes, such as a Software Bill Of Materials (SBOM) will need to be taken seriously.
A Software Bill of Materials (SBOM) is a list of ingredients that make up software components. In other words, it is an inventory of all the bits of programming code that make up the applications and routines which directly control the operations and functioning of hardware. If a piece of software were a person, this would be akin to a full background check or psychological profile of that person. An SBOM provides a clear and detailed view of the software’s building blocks, which can include libraries, frameworks, modules, and other components.
Software underpins nearly every aspect of our lives, from vending machines and mobile phone applications, to enterprise financial tracking and critical infrastructure. As our reliance grows, building and maintaining an SBOM is a critical baseline for software supply chain security, providing visibility and transparency, and promoting effective risk assessment. The broader impact of security tasks related to this effort should be moving beyond mere compliance checkboxes to effectively protect our digital assets.
While end users are often perceived as the primary source of risk, it’s important to recognize that software developers can also inadvertently compromise security. Just as a successful phishing email exposes user accounts and devices, exploited software vulnerabilities, stemming from applications and their dependencies, can wreak havoc. These vulnerabilities have the potential to lead to data leaks, loss of services, and more. The risk escalates when code is sourced from undocumented repositories, where potential vulnerabilities can be exploited long before they are widely reported. Likewise, if they fail to be recorded as in use in an environment, the lack of documentation can hamper patch management and threat mitigation efforts, making rapid response to exploitation difficult; or worse, too late.
It is of note that SBOMs are not limited to traditional software applications; they also encompass containerized environments, serving the same purpose as traditional SBOMs but focusing on the components and dependencies within container images. This type of SBOM helps organizations understand the software makeup of their containerized applications, assess vulnerabilities, maintain compliance, and ensure the security and integrity of their container environments. Some examples of where an SBOM would be useful here include:
Container Image Analysis: SBOMs can be generated by analyzing container images. Container images typically contain all the dependencies and libraries required for an application to run. Tools like container scanning and image analysis can extract information about the software components within these images.
Dependency Tracking: An SBOM for containerized environments includes a comprehensive list of all the dependencies used within containers. This encompasses not only the primary application but also libraries, frameworks, and packages upon which the application relies.
Link to Orchestration: If containers are managed within an orchestration framework like Kubernetes, the SBOM can include information about the orchestration configurations and any security policies in place.
To maintain the accuracy and timeliness of SBOMs for containerized environments, automation is crucial. Tools should be set up to automatically generate and update SBOMs as new container images are built and deployed. Conveniently, there does exist container registry integration. Many container scanning tools integrate with container registries, such as Docker Hub or Kubernetes’ built-in container registry. This integration ensures that the SBOM remains up-to-date as new container images are pushed to the registry. This can increase the ease and efficiency of SBOM generation in a continuous integration and continuous deployment (CI/CD) pipeline, where they would be generated as part of the software development and deployment.
Several high-profile cyber incidents, such as the SolarWinds Orion Supply Chain Attack (2020), Equifax Data Breach (2017), OpenSSL Heartbleed (2014), and the Apache Log4j vulnerability (2021), have highlighted the urgency of robust vulnerability management. Where the potential to affect markets and services globally was noted not just by businesses, but various countries and regulatory bodies. Included in a growing list of nations taking action are the United States, South Korea, the European Union, the United Kingdom, Canada, and Japan. All of whom have adopted SBOM guidance policies and mandates as part of their broader cybersecurity initiatives. These measures aim to enhance transparency, bolster national security, and ensure that government agencies and contractors uphold high standards of software security and compliance.
It is increasingly recognized that software vulnerabilities can have far-reaching consequences. Ultimately SBOMs play a pivotal role in safeguarding critical infrastructure, sensitive information, and even our online gaming experiences and social interactions. As the cybersecurity landscape continues to evolve, SBOMs stand as a beacon of security, ensuring the integrity of our digital infrastructure, as well as the safety and — whatever is left of — our privacy in online interactions. Compliance is just a starting point; embracing SBOMs beyond government-level projects, where regulation has not yet occurred, is a commitment to a more secure digital future on the whole.
The best time to create a Software Bill of Materials (SBOM) is early in the software development lifecycle. As soon as a software development project is initiated, it is a good practice to start identifying and documenting the components and dependencies that will be used in the design. During design, software architects and developers selecting libraries and frameworks should ensure they are tracked through development. Then, during development, the SBOM should be continuously updated as new integrations are introduced and existing ones are modified with testing. Before releasing the project to production or distribution to end users, ensure that the SBOM is complete and accurate. This will aid in vulnerability management as the real world gets its hands and hardware on it.
The following should be incorporated when creating an SBOM:
Identify the Software: Begin by identifying the entire application, module, or specific piece of software that you want to analyze.
Document Components: List all of the components and dependencies of the software. This includes libraries, frameworks, modules, plugins, and any other building blocks.
Version Information: For each component, document its version information. This is crucial for tracking and identifying vulnerabilities associated with specific versions.
Licensing Information: Include licensing information for each component. This helps ensure compliance with open-source licenses and intellectual property rights.
Origin & Source: Document the origin of each component, including its source repository or supplier. This is important for tracking updates and security patches.
Dependencies: Note the dependencies between components. Understanding what and how components interact with one another is vital for vulnerability assessment.
Lifecycle Information: Document information about the lifecycle of each component. This includes release dates, end-of-life (EOL) dates, and any available support or maintenance information.
To alleviate the potential heavy lift and reduce the risk of human error, consider using automated tools with regard to creating and maintaining an SBOM. This will streamline the process significantly from the very beginning. Open-source asset organization management like FOSSolody or other Software Composition Analysis (SCA) Tools and DevSecOps Platforms, all have various functionality related to scanning and identifying code dependencies, components, and known vulnerabilities. Consider the organization’s specific needs and requirements when selecting an automated SBOM generation/management tool. The size of the project, the type of software components, the budget, and compliance requirements all contribute weight to the decision.
Remember, SBOM documentation should be established as early as possible in the software development process and kept up-to-date throughout the lifecycle, regardless of whether employing the use of automated tools or not. This proactive approach enhances transparency, accountability, and aids in vulnerability management.
SBOMs provide greater transparency into software supply chains, making it easier to identify vulnerabilities and respond to security threats effectively. Pairing the creation and use of SBOMs with other robust vulnerability management procedures fortifies an organization’s cybersecurity posture. This in turn fosters accountability and enhances an organization’s reputation.
To effectively leverage SBOMs in vulnerability management, organizations should follow these best practices:
Secure Storage & Access Control: Store SBOMs securely to prevent unauthorized access. SBOMs themselves can be lucrative targets for threat actors. Their protection is paramount.
Collaboration: Encourage collaboration between development and security teams. This teamwork will enable all stakeholders to better understand and address any vulnerabilities or risks identified in the software.
Training and Education: Provide training to employees and students on the importance of SBOMs and how to interpret them. Many programmers are not taught to focus on secure coding practices, the priority being to “get it to work” as quickly as possible. An SBOM is one factor with the potential to have an enormous impact on improving software security.
Regulatory Compliance: If regulatory compliance is a concern for your organization, ensure that the SBOM is maintained and aligns with any compliance requirements throughout the software development, deployment, and maintenance processes.
Documentation & Reporting: Ensure that SBOMs are well-documented and easily accessible to relevant stakeholders. Make them a part of the overall organizational cybersecurity documentation and reporting framework.
The National Institute of Standards & Technology (NIST) offers guidance on creating SBOMs. Considering NIST’s significant role in cybersecurity best practices, it is worth noting that they place significant emphasis on SBOMs in supply chain security and vulnerability management. Aside from the well-known Cybersecurity Framework their collaboration with industry stakeholders has led to two documents that should be reviewed:
They both provide valuable insights for organizations seeking to implement SBOMs as part of their cybersecurity practices.
The Software Bill of Materials (SBOM) continues to emerge as a linchpin in modern cybersecurity practices. Over time the practice of having them will ideally transcend traditional compliance efforts to become an indispensable asset of the digital landscape. Their significance extends to national security initiatives but will still have a significant impact on maintaining the everyday beat of our connected society. Creating SBOMs is not merely a best practice; it’s a proactive commitment to understanding and managing software supply chains. In vulnerability management, SBOMs expedite the identification and mitigation of vulnerabilities. As we witness the continued expansion and complexity of our networked world and its technology, the adoption of SBOMs is an obvious necessity that ensures the resilience and security of our software-driven future.