SBOMs Key for ‘Confidence’, ‘Transparency’ into Critical Software

With growing cyberattacks and last week’s global Russian cyberattack that exploited vulnerabilities in MOVEit software applications, federal agencies are turning to new legislation and growing prioritization of software bills of materials (SBOMs) to protect their networks.

Lawmakers introduced the Cybersecurity Awareness Act to better equip the targets of ransomware attacks across the country with greater access to cybersecurity training, education and resources. The bill would require the Cybersecurity and Infrastructure Security Agency (CISA) to launch a new public-private campaign to promote cybersecurity best practices and expand outreach to communities on how to protect themselves against cyberattacks.

“Defending against persistent and evolving cybersecurity threats will take an all-hands-on-deck effort,” said Sen. Gary Peters, chairman of the Homeland Security and Governmental Affairs Committee, in a statement.

SBOMs are touted for enabling agencies and organizations to better understand potential vulnerabilities and improve security. Last month, CISA released its draft self-attestation form for vendors to create a baseline for federal software security, tying into the White House’s memo on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.

The form’s requirements are based on NIST’s Secure Software Development Framework, including building software in a secure environment, maintaining control of source code and leveraging multi-factor authentication and automated testing tools. The agency is accepting feedback on the form through June 26.

“One of my favorite academic articles put it from ‘off the wall’ to ‘on the wall,’ where instead of being an esoteric topic talked about in some distant corners of the technology landscape, it is now something that is widely understood to be foundational to our shared security, … but we need to keep the gas pedal down,” said CISA Executive Assistant Director for Cybersecurity Eric Goldstein during the agency’s SBOM-a-Rama event June 14.

SBOMs in Health Care

SBOMs are getting a lot of attention from the health care community due to the importance of software transparency and the pervasiveness of software in the entire medical ecosystem. Experts during the SBOM-a-Rama event said this isn’t just a technical issue, but also a matter of national security and patient safety.

“SBOM is a critical pillar, a foundation of a world that is safe and secure by design. There is no world in which a technology product can be considered safe, secure and trusted, unless there is visibility and transparency,” Goldstein said.

The Health Care SBOM Proof of Concept (POC), created in 2018, focuses on SBOMs from manufacturers, particularly how to ingest SBOMs and use them for certain use cases like vulnerability management and procurement.

As part of the first SBOM POC phase, a group of industry leaders wrote a guide on how to read an SBOM. They pulled data to combine with software components and talked about how the experience was doable. They also recognized all the limitations of naming and dependencies.

Leaders said SBOMs as living things need to be incorporated into security tooling. Then the second phase would be focused on including third parties, expanding the formats and being more sophisticated in how they were thinking of SBOMs and how to operationalize them inside hospitals.

The third phase features the Daggerboard, which involves creating user-friendly dashboards in order for organizations to look at the results of an SBOM linking it to relevant data to determine the quality of a product.

Officials are also looking into Vulnerability Exploitability eXchange (VEX), a security advisory that allows both suppliers and users to focus on vulnerabilities with the most immediate risk. They want to add VEX support to Daggerboard and use that to give feedback to manufacturers to figure out how SBOMs and VEX could practically be used within hospitals.

Integrating SBOMs and Innovation

Agencies are continuing to prioritize cloud-based solutions and technologies, making SBOMs evermore critical. In addition, the complexities of software-as-a-service (SaaS) solutions have pushed leaders to understand a broad array of software delivery methods.

“The key is that we have three models: SaaS hosted in the cloud, SaaS hosted in private environments for clients, and SaaS hosted for traditional environments like self-hosted for some cases,” said Ricardo Reyes, senior solutions architect at Tidelift. “SaaS providers must issue an SBOM to B2B customers because they need to understand the risks in the software supply chain that are part of the third-party services that they’re using.”

With this comes challenges, and leaders are working to define the pain points surrounding SBOMs. For example, there are a variety of tools and methods used to create SBOMs, which can produce different types of content.

“We cannot live in a world where we don’t have trust and confidence in the software that is running every single one of the functions upon which we, our families, our communities, our countries rely on every single day. Our hospitals, our financial system, their energy grid and government, all of it runs on software,” Goldstein said. “If we don’t have confidence and transparency into that software, then we can’t have confidence and trust in the critical functions upon which we all depend.”