The Product Security community has had a rough go of it lately. 

Ransomware attacks,
New regulation,
Greater internal liabilities,

Oh, and no cross-industry processes to better manage the long tail suppliers. 

Remember years ago how the local news team would forecast a sunny day, just for it to rain? But, with the advancements in connecting small stations with major government-operated satellite networks, allowing for more precise data sharing, those same meteorologists are confidently delivering 4-5 day forecasts, no sweat.

SBOMs hold an opportunity to unite the product security community, and create a forecasting system of our own. A common language and quality scoring system will enable us to not only share what is happening in real time and identify patterns– but forecast into the future.

We’re taking data for granted

Executive orders, governmental bodies, and non-governmental alliances are honing in on the world’s cybersecurity posture. Energy, health, water, automotive, and other critical pieces of infrastructure need to be secured now.

It’s up to us product security practitioners to generate and continuously maintain software bills of materials (SBOMs) for every device, every component, and every variation– whether by choice or to meet standards. Many companies today only generate and share SBOMs if they are required by a vendor or government agency. Even then, they may only share the bill at time of delivery and not update it with the ongoing changes that impact the software components of the device. 

This lack of follow-through makes it seem like we don’t think the data we hold is all that important. With many of these devices being mission critical, we’d be foolish not to take every precaution possible. We saw what happens when malware is implemented somewhere in the supply chain and we lose sleep over if that’s happening to our very organization’s as we speak and we just don’t know it.

By demanding SBOMs from vendors and securely sharing our relevant data with customers, we’re strengthening the very communication and best practices that Product Security Practitioners have been shouting out for. 

Make no mistake, this is demand for SBOM automation and standardization presents a huge opportunity for product security practitioners– and we better take it.

Some companies already have this information stored internally. If the knowledge base they are sitting on can be shared, we’ll have a rich pool of data to pull from and begin to piece together what is going on beyond our organization’s viewpoint.

How impactful sharing will look

Sharing platforms already exist, but they fail to address the grand scale of vulnerabilities that we’re experiencing today. Most sharing platforms today surround vulnerabilities but what if we can go beyond individual threats to develop a meta view of vulnerabilities, just as weather forecasters pool information from various sources, not just one data point. 

What if we saw sharing of information and even vulnerabilities as a sign of supplier strength?

This shared data can allow us to implement a quality scoring system so we know the trustworthiness of each vendor, similar to the credit score system used in the United States. Instead of delivery of funds, it will tell OEMs who is a low risk to work with, giving insight to status, posture, and more. Even more important, security practitioners can start to predict what kind of threats may arise in the future.

First off, this is not about right or wrong. Just like the credit score system, vendor quality scores will fluctuate based on many factors, finding buoyancy where their organization best first. Depending on your sector, its regulations, and risk tolerance, you will choose who is the best fit for your organization.  

Quality scoring can be a combo of:

  • Existing vulnerabilities – Know identified vulnerabilities  (open and also historical that were patched already)
  • Patching cadence – How fast from vulnerability detection (reporting)  to release a new fixed version 
  • Usage popularity – How many developers download it or use It  
  • Software dependencies – Code, IT environment, O.S
  • Source reputation – Known vendor or script kiddy
  • Maintainability – Refers to the effort required to modify the software
  • Testability – High code coverage supporting multiple threat scenarios
  • Code efficiency – Refers to performance and resource use behavior
  • Reliability – Maturity, fault tolerance, and recoverability
  • Usability – The effort required to understand, learn, and operate the software system
  • Portability – The effort required to transfer the software to another
  • And others

The Shared Benefits

The mindset shift from data collection to forecasting may seem like a giant leap, but when considering the data we already have, it’s much easier to picture this as reality. 

Faster vendor auditing

Garnering support from executives will be simpler once we are able to put a clear return on investment for these efforts. Things like having a vendor quality score, trustworthiness certificates to show OEMs, and various insights about who you work with will prevent the need for greater resources into the future. 

Better predictability

What if we put a similar formula to an SBOM that we did for CVSS scoring?

  1. We will share data and play with information to discover patterns.
  2. We will be able to identify new vulnerabilities that appear only once two highly secure devices are connected.
  3. Findings will more easily be shared between business units, departments, R&D groups, and other internal stakeholders.
  4. We can better build off of an internal database.

Weathering the storm

For the foreseeable future, connected products will remain a top target for hackers who want to take down infrastructure or put people’s lives at risk for financial gain. By creating a quality and trust system, we will predict what threats may appear, based on which way the wind blows.

For manufacturers who share in this joint SBOM-driven effort, will be able to pain a larger picture, beyond the canvas of their own organization. They’ll know where they stand in the industry and how to improve, more easily pinpoint who to work with, improve collaboration, implement an automated SOAR approach, and can be used for PSIRT efforts, should an incident occur. 

But before all of these dreams can be brought to reality, CISOs and CPSOs require a product security-focused platform to manage and keep track of everything. Being able to connect, share, and utilize this information will allow for the industry to move forward to better security and more of a proactive approach to product security.

 

This article is part of a series by Ronen Lago, Cybellum Advisor. Read Part 1: Making the most of SBOMs: A Product Security Perspective

By RONEN LAGO

Ronen Lago has two decades of experience in developing and deploying advanced intelligence systems and cyber information security products. As the former CTO and Head of R&D in Tier-1 enterprises, Ronen led a range of innovative multidisciplinary global development teams at Daimler AG, Lockheed-Martin, Israeli Air Industry, and Motorola.

As a member of Cybellum's advisory board, Ronen's experience in product security allows for safer products throughout the automotive, medical device, and industrial sectors.