Too many companies are missing a key software component in their businesses: their software bill of materials (SBOM). A SBOM is a list of all the components that make up a piece of software.
According to Brian Fox, chief technology officer at Sonatype, while some may think it is a trivial requirement, it provides transparency not only to your end users, but to your business. Any good software security program will tell you that you have to understand all the components in your system and the risks associated with those components. When a majority of the software assembled today is made up of open-source software or third-party code, a SBOM is the only way to provide full visibility into what is inside.
“Security is a knowledge warfare game more than anything, so we need to make it easier for people to understand what’s inside the software that they’re deploying on their networks, in their car, in their hearts, in their insulin pumps,” said Fox. “These things are not so readily observable so requiring an SBOM is a step towards providing that transparency.”
Unfortunately, less than 50% of companies actually produce a SBOM, but it is something that they will soon no longer be able to ignore. President Biden recently signed a United States cybersecurity executive order that requires any business that produces or sells software to the federal government to provide an SBOM along with the application.
“Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk,” the order states.
Fox hopes that the executive order will be a step forward to translating the importance of the SBOM to the broader software community.
The executive order follows the recent software supply chain attacks on SolarWinds and Codecov, as well as the ransomware attack on the Colonial Pipeline, all of which impacted a number of federal agencies and businesses.
“The attacks we are seeing in the software supply chain are attacking developers and development infrastructure. So many application security programs are focused on defending against shipping stuff to their end users that might cause data leakage and cause customers to be hacked, but as we have seen with SolarWinds, the developers are the target,” said Fox.
How to successfully produce a software bill of materials
The traditional approach to application security is to scan an application before it ships or goes into production, but that’s an old school mentality that creates a bill of vulnerabilities, not a bill of materials. “You are going to miss stuff if you can’t precisely detect what you are looking for,” said Fox.
He explained the key to successfully producing an SBOM is through automation. If you are doing it manually, you are doing it wrong because there are so many components that go into software, it’s almost impossible to find them all and then manage it. “When all these things are changing weekly, monthly, by the time you are done, you have to start all over. It’s just not possible to do it by hand,” Fox added.
The tools you incorporate to automatically produce a software bill of materials have to be precise and have to analyze existing applications. If you are using open-source software like Apache Struts that has a number of subcomponents and you are only using a few of them, your tool needs to know exactly what those components are otherwise it will give you a bunch of false positives for components that aren’t in your system.
“At Sonatype, we try to go to the next level and understand where does the vulnerability actually lie in the code, and then understand which of the individual subcomponents it is in and whether or not you have a potential vulnerability,” said Fox. “We’ve created a dataset that is precise enough to be actionable and automated to make that connection.”
The company also recently announced support for the CycloneDX Software Bill of Materials Standard, which worked with a number of stakeholders including Sonatype to provide a practical standard that can facilitate interoperability between systems.
Fox hopes companies will take the executive order seriously and not just try to check the box and put it on their website. “If a vendor gives you a bill of materials, you have to trust it because you can’t verify that it is accurate. I fear a lot of companies will move towards just putting it together so it’s good enough,” he said.
However, he does note that the executive order is a great start for getting the awareness around SBOMs and having people understand it. “These types of things can finally move the needle for the industry even if they didn’t really want to,” he said.
Content provided by SD Times and Sonatype