Large-scale vulnerabilities discovered in Log4j, SolarWinds and more have prompted federal cybersecurity leaders to “know what’s under the hood” of their applications, leveraging software bills of materials (SBOMs) to drive resiliency and security management.
“Log4j has really taught us that it's not just enough to say, 'well, my asset management knows this...’ We need to know what's under the hood,” CISA Senior Advisor and Strategist Allan Friedman said at the Billington Cybersecurity Summit in Washington, D.C., Thursday. “SBOMs are saying ‘this software depends on this software, depends on this software. It's a nice little tree. It's a list of ingredients.”
SBOMs enable organizations to respond quickly, efficiently and cost effectively, driving cyber resiliency. DISA’s Hosting and Compute Center (HaCC) technical director Korie Seville said his agency is looking at cybersecurity in two parts: vulnerability patching and remediation.
“It's transforming the way you look at security and transforming the way you look at vulnerability management,” Seville said. “There's vulnerability patching, and how do we deal with that? Do we move more toward environment-as-code ... [so] we can make these changes on the fly to secure our environment? That’s only one piece. The other piece is if someone’s in your environment, how do you respond? A lot of that is moving toward better security practices along with a zero trust model.”
DISA is focusing on DevSecOps to better secure its software and perform static analysis. Seville noted that historically DISA has been caught in a “reactive mode” or responsive vulnerability assessment after a breach or attack happens. The agency is pivoting to partnering with industry throughout the acquisition and procurement process to better understand the components and security within applications.
“Having that open line of communication between us helps us to mitigate problems faster, instead of waiting for a vulnerability notification to come out or waiting for a vulnerability scanner to pick it up,” Seville said.
President Biden’s executive order on Improving the Nation's Cybersecurity requires agencies to move toward a high security model, referencing static analysis tools, multi-factor authentication and adopt SBOM. Friedman explained that these features will promote transparency and better define responsibility.
“Everything that we know that we need to do to detect and prevent those attacks starts with that level of transparency,” Friedman said.
Seville said that cybersecurity is on a sliding scale of responsibility between the agency and the vendor. Depending on the type of product, there should be a shared responsibility for risk between the provider and consumer. As government moves toward shared services, like commercial cloud platform providers, industry and government should work together to address and mitigate vulnerabilities.
“That true partnership is really going to be the key to securing those things,” Seville said.
"We've got a good group of individuals growing together here, and I think that put us on even better footing as we face down things like SolarWinds, Log4j and other threats that have come our way,” DOD CIO John Sherman said. “Looking at things like SBOMs ... and other measures we need to take. It is a group responsibility.”