“What do you mean you don’t know what’s in your software?”
— Allan Friedman, senior advisor and strategist at CISA.
SAN FRANCISCO, June 2022 – Of all the supply-chain related topics covered at the RSA Security Conference this year, the Software Bill of Materials was quite popular, particularly as it pertains to protecting the software supply chain.
For example, during the conference’s four-day run, Allan Friedman, PhD, was all over the conference, speaking and attending events focused on SBOM. As senior advisor and strategist for the Cybersecurity and Infrastructure Security Agency (CISA), Friedman is often referred to as the father of the SBOM.
On Tuesday morning of the show, he introduced an expert panel of critical infrastructure partners from the Department of Energy, Schneider Electric, and the Idaho National Laboratory to talk about securing code for the critical infrastructure. But first, he opened with an update on data formats for displaying SBOM output into machine-readable formats, along with advancements in automation and integration.
SBOM’s Maturing
A key takeaway from the panel is that SBOMs are maturing. Panelists explained how the energy sector is trying to derive specific value from SBOMs to identify weaknesses and protect the infrastructure. Virginia Wright, energy portfolio manager at Idaho National Labs, put it this way: “We realized we needed to know the ingredients in our software, and so now we’re consuming the data to get the greatest benefit.”
The onus, they all agreed, is on the software vendors, who usually don’t know what’s in their own software, particularly the open-source components within the software. And with those components coming increasingly under attack (along with the public and private libraries housing those components), full transparency into the origins of these programs and their known vulnerabilities is key, they say.
Pro Tip: Check out this Google blog on integrating SBOM output with vulnerability management data for more visibility into where to make repairs.
Specific to the energy sector, software vendors need to understand the difficulties in patching and updates to their software and firmware, which usually has an average lifecycle of decades, said Cassey Crossley, VP and deputy product security officer at Schneider.
In terms of lessons learned and the future applications for SBOMs, panelists discussed the need to better integrate SBOM’s into OT asset and change management systems, which at least one vendor interviewed at RSAC understands. Casey Ellis, Founder and CTO of Bugcrowd said his company has prioritized features to reduce loads on DevSecOps when bugs are found, empower developers, and engage security operations with development.
Software, Firmware, Hardware and Beyond
During the Tuesday energy panel with Allan Freedman, the experts on the panel also envisioned SBOMs extending beyond commercial applications to include open-source components. They think SBOMs should also be used by integrators who develop API’s. Beyond software and firmware, these experts also agree that SBOMs should extend to hardware, which would provide a complete, integrated picture of the technology stack.
As SBOMs become more mainstream in commercial, third-party applications, they also need to overcome negative perceptions that SBOMs are deconstructing the secret ingredients to a software program and allow competitors to copy valuable intellectual property. But Wright likened this argument to worries by food producers that they were giving away their recipes when consumer protection rules mandated that they list their ingredients on the label. It’s a basic safety issue, she says, and it’s just an ingredient list, not the recipe on how to combine them. Same with code, SBOMs will not include where and how the code was assembled, just what’s in it.
In another session on building systems of trust, Bob Martin, senior software and supply chain assurance principal engineer at MITRE, talked about reusing collected SBOM information for risk modelling, which MITRE intends to automate and integrate in the Fall.
While SBOMs were high on the list of topics at RSA this year, zero trust was the most popular topic covered in sessions and at vendor booths. But even then, SBOMs came up in discussions, because SBOMs speak to the very core of Zero Trust, which is protecting the code base running the critical infrastructure.
Pro Tip: For more on SBOMs in use, read GrammaTech’s informative blog on SBOMs used across the entire software stack.
