SBOM and Supply Chain Security
2021-09-15 | 6 min read
“SBOM will not solve all software security problems, but will form a foundational data layer on which further security tools, practices, and assurances can be built.”
--National Telecommunications and Information Administration
You might correctly guess that the Software Bill of Materials (‘SBOM’) is a formal record of all the software components inside a software application. But a software product, like that handy flashlight application that you downloaded for your smart phone, doesn’t have components, does it?
Maybe lots of zeros and ones, right?
Right. But despite most of my life spent interacting with software, as either a consumer or a coder, I’ve never actually touched a bit, a byte, or a zero, one. And I’ve never seen a flashlight application with a lightbulb inside. Nonetheless, the SBOM, like the HBOM (hardware bill of materials) and FBOM (firmware bill of materials) are all quickly becoming required elements of a good ICS/OT cybersecurity strategy.
In the same way that the earliest inventors of physical devices discovered that you didn’t need to reinvent the wheel every time you needed one, the architects of the digital world already knew that you didn’t need to rewrite useful code every time you needed it. So commonly used software packages like online shopping carts, customer review modules, and embedded real time operating systems are often packaged into modules, libraries, and now containers-- and sold to and reused by coders in the development of software applications that make life easier.
The SBOM can Save Lives
Especially in the ICS/OT world where the physical and digital worlds converge in a very big way. Earlier this year, CISA published advisory CVE-2021-22156 (‘BadAlloc’), which details vulnerabilities found in multiple real-time operating systems (‘RTOS’) and supporting libraries. One affected RTOS says “BadAlloc could potentially allow a successful attacker to perform a denial of service or execute arbitrary code.” BadAlloc is part of a collection of integer overflow vulnerabilities which affect a wide range of industries using Internet of Things (IoT), and operational technology (OT)/industrial control systems (ICS) devices.
Last month BlackBerry’s QNX Real Time Operating System was added to those affected by the vulnerability.
Considering where these RTOS components are used, BadAlloc is by definition, a Software Supply Chain Security vulnerability. Every device running on an affected RTOS is vulnerable and needs to be patched. But how does a product manufacturer or consumer know if an affected RTOS is buried deep inside their product?
The SBOM. It’s what’s inside.
Executive Order 14028
If you’re a software developer, a software vendor, a software buyer, a user in the ICS/OT world, or plan to sell your products into the United States, you need to pay attention to Executive Order 14028.
Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, mentions the SBOM nearly a dozen times. What it is, and who benefits are clearly spelled out under Section 10, which I’ve included below.
Section 10. Definitions. For purposes of this order:
(j) the term ‘‘Software Bill of Materials’’ or ‘‘SBOM’’ means a formal record containing the details and supply chain relationships of various components used in building software.
Why it’s needed:
o Software developers and vendors often create products by assembling existing open source and commercial software components.
What it does:
o The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging.
Who benefits from an SBOM:
o An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software.
o Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.
o Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.
o Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.
What format shall an SBOM take:
o A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration.
o The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
Like the National Security Memorandum that was issued in May, 2021, Executive Order 14028 is voluntary, but enforcement is expected to be coming soon.
Join me and Industrial cybersecurity expert, Patrick Miller, in our continuing discussion about Supply Chain Security.