The Definitive Guide to Software Bill-of-Materials (SBOM)

The Definitive Guide to Software Bill-of-Materials (SBOM)

In 2020, the SolarWinds supply chain attack penetrated deep into the Federal government’s infrastructure and into some of the largest and most tech-savvy organizations. The compromise gave attackers unprecedented access to some of the best-protected data in the world. It highlighted that no matter how big or well funded an organization is, cyber-attacks can still hit them.

Organizations rely on digitally connected systems to run their operations and have little visibility into the risk outside of what the provider openly discloses. To fully understand the risk of their software, companies need visibility into its composition. The software bill of materials (SBOM) can provide this transparency and empower customers to control their software security.

What is an SBOM

The attacks called into question exactly how much is known about the “trusted” software that is utilized every day and makes up the foundation of business processes. In response to this, President Biden issued an executive order (EO 14028) on improving the nation’s security. It called for organizations and federal agencies to work together to improve cybersecurity.

Part of this action was a recommendation for software developers to provide an SBOM to their customers. This bill of materials includes information about libraries, add-ons, and custom source code utilized by an application.

SBOM’s were initially proposed in 2018 by the U.S. Food and Drug Administration (FDA) as a part of the Premarket Submissions for Management of Cybersecurity in Medical Devices, and where called cybersecurity bill of materials (CBOM), emphasizing their importance for product security.

It was created to provide the same level of accountability in medical devices as is required of food items. The goal was to create a listing of all software and hardware components that made up a device. It allows organizations to effectively manage their assets and fully understand the risks of utilized software.

SBOM Risks

Before considering the benefits of SBOMs it’s important to also consider the risks that might be associated with it.

The SBOM contains detailed information about the makeup of software or firmware in the product or device. This is valuable information for software consumers and attackers alike.

Organizations that take advantage of the SBOM to quickly identify and remediate vulnerabilities are using the same information that attackers may have at their disposal to protect themselves.

This takes an arrow out of the attackers quiver and gives the consumer an advantage that greatly outweighs the risk.

Why do we need an SBOM?

SolarWinds was unknowingly shipping product updates containing malicious code inserted by attackers. This code created a backdoor for cybercriminals to enter customers’ systems. As SolarWinds is a trusted provider, many companies and Federal agencies installed the patches automatically without conducting any in-depth checks.

Supply chain attacks like this one may happen because software is made of more than just the code created by a developer. It includes a complex combination of third-party libraries, both open-source and commercial. However,for customers the source and library information is a black box into which they have no visibility and which can contain insecure or outdated components.

If customers had more visibility into the SolarWinds patches, someone would have likely identified the attack much faster.

Use Cases for SBOM

Even though it is not mandatory for all software developed, SBOMs are best practices that should be used by software or digital product manufacturers. There are several use cases where an SBOM provides value.

  • Complying with Federal Requirements – After President Biden’s executive order, those providing software to the federal government need to provide SBOMs that detail the components utilized and the changes made between versions.
  • Reducing Risk for Software Consumers – SBOMs provide visibility into software composition, allowing organizations to verify that the software meets their compliance standards and security requirements and to assess risk. This is especially important for highly regulated industries such as healthcare, critical infrastructure providers/utilities, automotive, and finance.
  • Efficiently Managing Production Risk – Device manufacturers have high standards to maintain for their products and in many cases have limited capability to make changes post production. SBOMs allow them to track changes in upstream software to identify and remediate new vulnerabilities early in production when it is easier and less costly to remediate.
  • Supporting Mergers and Acquisitions – When acquiring a new company, businesses need to complete due diligence in investigating their investment before acquisition. Part of this process involves thoroughly assessing the risk of the purchase. SBOMs provide visibility into the software run by the company, enabling a more accurate assessment.

Benefits of SBOMs

SBOMs are an important element of product security, allowing organizations to vet the security status of their software and proactively find and eliminate vulnerabilities at all stages of the product lifecycle.

This also allows organizations to minimize supply chain risks. It is crucial to note that the SBOM does not prevent vulnerabilities, but instead is a facilitator in the vulnerability management process. It can be used to help identify the impact of changes that can lead to earlier identification and removal of potential issues.

The benefits of an SBOM extend beyond security and enable lower costs. Rather than having developers manually parse code to locate vulnerabilities, it centralizes this information and provides transparency into underlying libraries. This streamlines the identification process and reduces time and cost.

By amalgamating the underlying information in one location, it also helps to streamline license conflict mitigation. Sometimes libraries contain components with unfavorable licenses such as “copyleft” that could force products that use it to also be placed in the public domain. By deriving this data from an SBOM, companies can proactively identify challenges like this and remove them from their product before going to production.

Working With SBOMs

Utilizing SBOMs in your organization goes a long way toward providing visibility. Unfortunately, the implementation of SBOMs is not one-size-fits-all. Integrating SBOMs into your workflow requires creating a customized process to fit your business needs. It needs to accommodate different formats and provide consistency of updates to avoid missing changes that might contain future vulnerabilities (keeping  “living SBOM”).

The Department of Commerce and the National Telecommunication and Information Administration (NTIA) published the Minimum Elements for a Software Bill of Materials, which is quickly becoming a defacto standard for SBOMs.

Multiple Formats

Unfortunatly there is no one SBOM format, though three formats have become quite common – CycloneDX, SPDX and SWID-tags. Ingesting data from upstream providers creates a challenge for those using SBOMs. This requires creating unique processes for each format to normalize and amalgamate data in one location.

For providers, formatting is essential for delivering consistency. Once a format is chosen, it should be adhered to as updates are a burden to consumers down the road. It may require them to change their ingestion processes to accommodate the updates.

Automation is Key

SBOMs are designed to be read by machines and formatted accordingly. Manually managing data is complicated and time-consuming. For those ingesting or creating SBOMs, automation is crucial for efficiently managing the process. It provides the consistency to ensure that all new changes are incorporated as they are released. This applies both to information released by providers as well as when developers create software updates.

Automation is also essential for managing the abundance of data that comes from SBOMs. Even though organizations may have the information to identify vulnerabilities in their products, the manual location of this information promptly is not reasonable. Instead, organizations need automated SBOM management software to periodically check for newly published vulnerabilities on the components they use and generate alerts when found. This allows organizations to identify vulnerabilities and mitigate them quickly.

Building Beyond SBOM

An SBOM is an important component in understanding the makeup of a product, but it is only a starting point. Technologies such as context based analysis and VEX allow for a deeper understanding of risk by determining whether a vulnerability is exploitable. Improved understanding of exploitability enables organizations to better prioritize how they will approach dealing with vulnerabilities.

Context Based Analysis

Context-based analysis is a system for identifying and prioritizing vulnerabilities in digital systems. It uses advanced context-based analysis to further reduce supply chain risks by incorporating the underlying hardware architecture, OS configurations, encryption mechanisms, keys, hardening mechanisms, complete control flow, and API calls. The context of the product deployment and operation goes far beyond the SBOM.

While an SBOM gives the list of ingredients within a device, the context gives it meaning. With this information a more accurate determination of the severity and priority of the risk can be determined. This reduces time wasted on remediating non-issues and allows it to be better focused on issues that are truly a priority.

Vulnerability Exploitability Exchange (VEX)

VEX is a companion artifact to an SBOM. It allows device manufacturers to communicate the exploitability of a vulnerability discovered in one of its software components listed in an SBOM. This saves organizations from the need to work backward to determine if a vulnerability for a product listed in an SBOM affects them.

While VEX may not provide as in-depth an assessment as context-based analysis, it builds upon the SBOM in defending against Supply Chain Attacks. Like context-based analysis, it helps convey information about the true exploitability of vulnerabilities in order to streamline the remediation process.

How Can Cybellum Help

Cybellum, a leader in context-aware analysis, can help shine a light on your software supply chain to protect your customers and your business. Our product security platform generates SBOMs in multiple formats and exposes vulnerabilities lurking in your products.

Discover how you can see all your software assets, understand each vulnerability’s real impact, and mitigate security risks before they cause any harm. Talk to us today!