Written by Elias Grohl and Jon Hewitt Jones
There are few things that a thorny community of cybersecurity experts and researchers can agree on. One rare exception is the need for more widespread use of software bills of materials (SBOMs), tools that list the components of a particular piece of software.
With that information in hand, cybersecurity defenders are much better placed to find and fix bugs. Supported. A landmark Cyberspace Solarium Commission report claimed they were necessary for software purchased by the federal government. A study of log4j vulnerabilities by the Cyber Safety Review Board identified SBOM as an important tool to prevent another similar disaster.
However, implementation remains a challenge, especially as the technology industry needs to understand exactly what information is required to comply with such regimes and how to use it.
Despite the swell behind SBOM, key agencies within the federal government are slowly moving to mandate the use of SBOM. The Office of Management and Budget simply made it an option as part of a September memo for agencies to require his SBOMs in federal IT contracts, rather than requiring them to be included in any software the federal government purchases. . Also, in the rush to pass the National Defense Authorization Act at the end of the year, a provision that required DHS in his contract to require him to use SBOM was dropped amid industry opposition.
A September White House memo requires federal agencies to obtain self-attestation from vendors, but does not require the use of SBOM.
A major challenge facing SBOM production and consumption today is in promoting wider adoption. Alan Friedman, the computer scientist who leads his SBOM study for the Department of Homeland Security, describes encouraging the use of these tools as “the chicken and the egg.”
SBOM could solve a major security problem, but nobody asked for it because no one provided it,” says Friedman.
Like the list of ingredients on the side of a box of cereal, an SBOM (pronounced ess-BOM) provides a list of software components and libraries and the relationships between them. To fix a vulnerability, a computer engineer first has to know he’s there. SBOM provides the inventory needed to understand the software components present on a given system.
Because modern software consists largely of assembled components, much of which is open source, understanding what a particular piece of software contains is the first step in identifying vulnerabilities. is the step.
Also, the modularity of modern software means that if a vulnerability is found in a widely used software library such as log4j, that vulnerability may exist in the vast number of programs that depend on it. I mean
SBOM begins to address this problem by mapping software components and their dependencies. But getting the software industry to adopt this technology is a nascent and very difficult task.
David A. Wheeler, Director of Open Source Supply Chain Security at The Linux Foundation, said: “You shouldn’t expect this to happen overnight. This will take time.”
To promote SBOM adoption, many experts would like governments to play a more active role in requiring the use of SBOM. Mandating software suppliers to the U.S. government to include her SBOM provides a major injection of engineering resources at a time when SBOM is starting to show progress but needs to mature to realize its benefits. To do.
As such, some viewed the decision to remove the SBOM requirement from the NDAA as a lost opportunity. Trey Herr, who leads the Atlantic Council’s Cyber Statecraft Initiative, said:
Although the provision was dropped due to industry opposition, “many of the complaints raised by industry groups were confusing and disingenuous,” Herr argues.
Industry representatives said they sought the removal of the NDAA requirement due to a lack of specificity about how information is collected from vendors.
The Office of Management and Budget’s Keystone Memo, published in September, sets out requirements for technology vendors and the federal agencies with which they work. According to a guidance document, tech companies have until June 15 next year to be ready to certify the cybersecurity of their products.
However, with continued uncertainty about exactly what information federal departments will seek from vendors, some companies are preparing to sign their cybersecurity self-certifications by that exact date. We are working to make sure we have it, but other companies are waiting for more clarity on what they need.
“My clients are divided,” one senior technology policy adviser told FedScoop, citing tech vendors’ experience with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) — a problematic third-party certification scheme — as hesitant. as a potential reason to do so. He added: [we don’t] We know exactly what is required of technology vendors. ”
Another tech industry adviser said the new SBOM regime should come with clear guidance on how each federal agency will incorporate data obtained through the program. “I need to know what, why, how and where,” he said. “We definitely need to learn lessons from CMMC.”
Industry concerns about the quality and use of SBOM technology are well-founded. The quality of SBOMs currently in use is moderate, and the techniques that produce SBOMs are superior to those that consume them.
SBOM’s production and consumption tools are riddled with problems, according to data collected by security firm Chainguard. In a survey of over 50 SBOMs from open source projects, nearly four-fifths lacked package license information, two-fifths lacked package version information, and were stipulated by the National Telecommunications and Information Administration. There was no SBOM that complied with “minimum element”. .
“If you look at the SBOMs people are shipping today, they are full of bugs, inconsistencies, and missing data.
Addressing these issues requires an attempt to build solutions, and engineers working on SBOM solutions say governments play a key role in driving adoption.
“The role of government here is challenging,” argues Lorenc. Governments are trying to solve “ecological problems,” but “to start that action, they need someone to start it,” argues Lorenk.
According to Friedman, improving the quality of SBOM will be a major focus of CISA in the near term. One of his priorities is the development of the software’s overall namespace. “It’s a very mundane, technical part, but it’s a fundamental aspect,” Friedman said.
Proponents of SBOM are encouraged to see increased adoption of the technology. New York Presbyterian Hospital began using his SBOM, Federal Drug Administration Safe A provision in the omnibus appropriations bill that would allow requiring the use of SBOM to authorize Internet-connected devices. Major technology companies are investing to build these tools, even though industry groups oppose his NDAA’s recent SBOM requirements.
“We’ve come a long way since we started banging our heads against this wall 10 or 11 years ago,” said the Linux Foundation, which helped develop some of the standards underlying SBOM communications. said Kate Stewart, a computer scientist at information. “The industry is finally moving there.”
Friedman expects the focus to shift to improving SBOM consumption as more SBOM is produced. Ideally, SBOM should integrate with your existing vulnerability management system to make it easier for defenders to find and remediate vulnerabilities.
“If you can consume high-quality SBOMs across the ecosystem and have the data to match them to vulnerabilities, magic happens,” said Stewart.