To Secure the Software Supply Chain, Start with a SBOM

Having a SBOM can reduce the “fog of war” and enable businesses to assess risk and impact faster as they will have a reference point. It would also expedite cleanup and make these unfortunate situations much more manageable

By Michael Rogers, Director of Technical Advisory Services, MOXFIVE

A recent report from the Linux Foundation showcases the progress and adoption of software bill of materials (SBOM) tied to cybersecurity efforts. The report follows the U.S. Administration’s Executive Order (EO) on Improving the Nation’s Cybersecurity and the White House Open Source Security Summit earlier this year, highlighting the increasing importance of identifying software components and accelerating responses to newly discovered software vulnerabilities. The report found that 78% of organizations expect to produce or consume SBOMs this year, an increase from 66% in 2021.

As supply chain attacks grew by 300 percent in 2021, companies have been forced to come to terms with pervasive software libraries that might contain previously unknown (and easy-to-exploit) vulnerabilities. SolarWinds, Kaseya, and Log4j are just a few examples that provide a rude awakening of the challenges associated with the software supply chain. As organizations continue to scramble to protect themselves from the fallout, government officials are looking for ways to make future vulnerabilities less threatening.

The threat landscape is evolving, and dependence on external software suppliers is increasingly complex. The ultimate challenge is the ubiquity of a software component across cloud services, applications, and infrastructure that can make it incredibly difficult to deploy a patch quickly in the event a vulnerability is identified. Further, many organizations may not even know that their software contains the vulnerable component in the first place – and if they do not know, how can they remedy it? Keeping an accurate record of your tech stack is one step towards addressing concerns around security in the software supply chain.

Rising Adoption of SBOMs

A SBOM is a list that organizations can reference to quickly understand what their exposure is based on the applications they use. The concept has been around for a long time, but has garnered more attention amid the Log4j fallout as government officials and industry executives grapple with the huge number of highly dangerous bugs that may be lurking deep inside software that’s spread throughout the tech ecosystem.

While SBOMs would not have prevented Log4j, they could have made the cleanup far faster. They are particularly well-tailored to solve one of the biggest problems Log4j highlighted — that some bugs affect pieces of open-source software that are not only incredibly common but also frequently buried so deep in companies’ digital systems that their IT and cyber staff do not even know they are there. As shown by the Linux Foundation report, producing SBOMs make it easier for developers to understand dependencies across components in an application, to monitor components for vulnerabilities, and to manage license compliance.

In the wake of last year’s SolarWinds attack, President Biden issued an EO advocating mandatory SBOMs to increase software transparency in an effort to combat supply-chain attacks. These SBOMs are required to include all components, open-source and commercial, in an effort to help everyone in the software supply chain – from those who make, to those who buy and operate software.

Having a SBOM can reduce the “fog of war” and enable businesses to assess risk and impact faster as they will have a reference point. It would also expedite cleanup and make these unfortunate situations much more manageable. The Linux Foundation researchers also emphasized that industry consensus and government policy is helping to drive SBOM adoption and implementation, with 80% of organizations aware of the EO to improve cybersecurity and 76% considering changes as a direct result.

Catalyst for Change

It has become clear that cyber incidents are not only business crises: they can also become powerful catalysts for enhancing fundamental IT capabilities. As a growing universe of products and service providers compete for attention to be included in the plan, a clear starting point may not be evident. The next step as mentioned by CISA with SBOMs would be to enable businesses to automatically assess if they are vulnerable so that they can begin remediation and cut down the exposure time. This of course won’t happen overnight but would be a great goal to strive for.

Today, SBOMs are not optional – they are essential to secure the software supply chain. Organizations that aren’t already using a SBOM should take the lead from these government advisories and determine how a SBOM fits into their cybersecurity strategy, for the benefit of their organization and its customers.

About the Author

Michael is a Director of Technical Advisory Services at MOXFIVE.  Heprovides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a Masters Degree in Cyber Security and is accredited through SANS for the GCFA, GCIA, and GOSI certifications. He has a wide range of experience from building and managing global Security Operations Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams. Michael can be reached online at https://www.linkedin.com/in/mjrogers/ and at our company website https://www.moxfive.com/.