What's in Your Software? The Importance of Supply Chain Transparency and SBOMs

In commercials, you have heard Samuel L Jackson say, "What's in your wallet?" Can you imagine him saying, "What's in your software?" I think that would be a cybersecurity meme.

Supply chain risks have been growing over the years, and the recent Log4j and SolarWinds vulnerabilities are clear indications of the potential impact of these risks. Log4j, for example, is a common component used in a wide range of software applications, making it difficult for defenders to identify the vulnerable applications. The challenge is even greater for defenders who have no visibility into their software supply chains.

The increasing complexity of modern software systems has led to a rise in cybersecurity risks and costs due to the lack of transparency in their supply chains. These risks can be mitigated through increased transparency, which can help to identify vulnerable components, reduce unplanned work, facilitate differentiation of transparent vendors, standardize formats, and identify suspicious software. Achieving supply chain transparency can increase trust and trustworthiness while lowering costs, as it allows for a more thorough understanding of the components that make up a software system and the potential vulnerabilities associated with them. As such, efforts to promote supply chain transparency are becoming increasingly important in the fight against cyber threats. However, we still have the challenge that developers and manufacturers are reluctant to implement the needed level of transparency.

The good news is that there is a solution to this problem. The use of "software bill of materials" (SBOM) will help increase visibility into complex software. The SBOM is a critically important artifact that provides a comprehensive list of all the components used in a software product, including open-source components, proprietary code, commercial components, and external services (APIs). SBOMs can be used to describe the contents of a software product distribution, firmware, and other forms of software distributions used in both IT and OT ecosystems. By providing a standardized format for identifying all software components and their versions, an SBOM can enable defenders to proactively identify and remediate future software vulnerabilities.

A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management.

The National Telecommunications and Information Administration (NTIA) has recognized the importance of SBOMs in reducing cybersecurity risks and increasing transparency in software supply chains. To address the issue, the NTIA has taken the lead in convening a multistakeholder process and the Framing working group. The initiative focuses on establishing a minimum expectation for creating a baseline SBOM that outlines the necessary information and process to support basic and essential features. The goal is to define the format and information needed in SBOMs to facilitate standardization, improve the efficiency of the process, and increase the accuracy and completeness of the information provided. By creating a baseline for SBOMs, the initiative will help software consumers make informed decisions about their purchases, and software vendors can more easily create and maintain SBOMs for their products. This initiative will help reduce cybersecurity risks and increase transparency in software supply chains, making it a crucial step toward securing our digital infrastructure.

As supply chain risks continue to grow, it is essential for organizations to start asking vendors and resellers for SBOMs. Even though most vendors might not have them yet, it is expected that more and more customers will start asking for them, and vendors will respond to this demand. Furthermore, regulations are likely to come, and critical infrastructure and Federal government agencies will require SBOMs as part of their procurement process. All organizations will eventually benefit from the Feds forcing developers to create SBOMs. Allowing private sector organizations to start using SBOMs to proactively identify vulnerabilities so that they can be addressed before they are exploited. By adopting this approach, organizations can increase their transparency and reduce their cybersecurity risks and costs, ultimately leading to more trust and trustworthiness.

Last update

December 2022

Resources

Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)https://ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf

CISA Software Bill of Materials (SBOM) https://www.cisa.gov/sbom

CISA, NSA, and ODNI Release Guidance for Customers on Securing the Software Supply Chain https://www.cisa.gov/news-events/alerts/2022/11/17/cisa-nsa-and-odni-release-guidance-customers-securing-software-supply