 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Two major events have served to help bring software bill of materials (SBOMs) further to the forefront as a potential way for organizations to begin to secure their supply chains. The Apache Log4j’s Log4Shell disaster — which will likely pose problems for years to come by setting the stage to become one of the most widespread supply chain attacks in history — and the realization how it could have been prevented had a proper SBOM been put in place. In May, President Biden issued Executive Order 14028 in May which mandates that IT providers must provide an SBOM in order to work with the U.S. Federal Government. Consequently, organizations are now increasingly looking to integrate SBOMs into their DevSecOps processes.
At the very least, SBOMs will serve as a principal component in any secure software development framework (SDF) by providing a complete library of all libraries used in any applications, with a complete history of all code sources and timelines. “An SBOM is all about adding transparency to the software deliverables by including the list of software components and dependencies,” Alvaro Iradier Muro, product analyst and software engineer at Sysdig. “Without an SBOM, there is reduced visibility into a software’s dependencies, possible open source or commercial license concerns, known vulnerabilities, or other potentially malicious elements. Organizations and users assume risk when they deliver or use software lacking SBOMs and don’t perform the extra analysis as due diligence.”
But while the adoption of SBOMs is at the very least positive for boosting security, considerable work must be done before they can begin to provide even a dent in preventing supply chain attacks and detecting vulnerabilities. SBOMs thus do seem to offer a solution about what ails supply chain security, and at the very least, should serve as a principle component in any security plan, challenges impeding their adoption remain.
The main thing to consider first before the challenges are described is to detail what an SBOM needs to do. “We usually describe the SBOM in general terms as a list of ingredients — you can consume food without worrying about the composition, but in case of allergies, nutritional concerns, etc., you want to understand what is inside the product,” Muro said. “For a software application, service, package, etc., it is exactly the same. So SBOM is not the entire solution for supply chain security, but it is a critical part of securing the digital supply chain.“
The main things to be on guard for when selecting an SBOM provider that Muro communicated include:
After taking these caveats into consideration, even the best SBOM provider serves little purpose if the organization has not adopted proper DevSecOps processes. “The most common operational element being discussed today is the usage of SBOM to communicate new vulnerabilities within components in the software supply chain for the given application. Such knowledge is obviously valuable, but if your organization doesn’t have a process to consume it, then there is minimal benefit from having an SBOM and associated vulnerability information,” Tim Mackey, principal security strategist at the Mountain View-based Synopsys Cybersecurity Research Center, told the New Stack. “It is this lack of process that is the biggest challenge as while procurement teams can request SBOMs from all their suppliers, if there isn’t a well-defined process to act upon the information in the SBOM, then all that’s happened is you’ve now one more file in a directory. It’s also important to note that SBOMs are only one component of a well-defined software supply chain risk management process, but they aren’t the ‘silver bullet of operations management.’”
SBOMs will certainly not cover all of the ground for organizations to secure their supply chains. In addition to their own best practices that should provide security monitoring and checkers across CI/CD and cover runtime during the post-deployment stage, it is also wise to complement SBOMs with Supply-Chain Levels for Software Artifacts (SLSA is pronounced as “salsa”). SLSA provides a framework and roadmap so that the industry can start adhering to the implementation of SBOMs and other security good practices for securing the software supply chain. “This also includes setting standards or levels for certifications as well as requirements for software providers,” Muro said.
Again, even the implementation of both an SBOM and SLSA, while they target supply chain protection, are but two components for supply chain protection. “You can’t just buy something, plug it in and solve everything,” Dan Lorenc, co-founder and CEO, Chainguard who co-created the SLSA as well as Sigstore security projects, told The New Stack. “When you break the supply chain problem down, SLSA is focused on one area and SBOM another and SLSA is focused on another and there are a couple of dozen problems that you’ve got to solve and SBOM only targets one of them. So, there are a lot of problems there and then there are a lot of problems beyond this problem.” Or even if we do get that solved and there’s perfect despawns and everybody has that we still have to worry about.”
The adoption of SBOMs and SLSA, while not yet mainstream, represents a promising beginning, Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, a provider of digital-risk protection solutions, told The New Stack. “SLSA’s complement SBOMs: whereas the SBOM provides the ingredients, the SLSA details how the ingredients were made in a safe way and SLSAs make SBOMs better. SBOMs coupled with SLSAs could be leveraged as a competitive differentiator by software companies,” Holland said. “Not only do you get updates on the software components used to deliver a product, but you get assurances that the software was produced securely.”
Nor are SBOMs a “panacea but a step in the right direction,” Holland said. “In a world where vendors don’t report or aren’t even aware of all the software used in their solutions, defenders must fall back on detection and response,” Holland said.
