Software bills of materials (SBOM) could help improve cybersecurity

There have been some widely publicized hacks in recent months including the SolarWinds hack and the Colonial pipeline cyber attack. Those two were particularly costly and disruptive, and the US government issued an executive order that lists some of the requirements to stretch cybersecurity.

Since there are many attach vectors, the list of requirements is fairly long, but one that caught my eyes in the “Enhancing Software Supply Chain Security” section reads as follows:

(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;

Bills of materials (BoM) are commonly used for hardware design, but the idea behind a software bill of materials is to make sure outdated software libraries with known vulnerabilities are not included in a specific program.

Software bill of materials
Image source: NTIA

The 2021 Open Source Security and Risk Analysis (OSSRA) report exposes vulnerabilities and license conflicts found in more than 1,500 codebases across 17 industries, so beyond the security aspect, a software bill of materials may also help to identify non-compliance with open-source licenses.

As noted in an EETimes article that brought the topic to our attention, SBOMs are not the perfect solution, as software may have a huge list of components, and any changes made by the software company would have to be documented. Compile flags and the specific hardware used make the task even more complex. For example, a kernel may be vulnerable to the Spectre and Meltdown vulnerabilities, but some hardware platforms are immune (e.g. Cortex-A53 processor), so this would have to be taken into account.

Ron Brash, director of cybersecurity insights for Verve Industrial Protection, also told EE Times that you can just provide a list of libraries and other software components, and instead, vulnerabilities must be clearly identified to help users, developers, and asset owners.

I need to have a dashboard view that seamlessly shows me what the risks are, not just a list of software components. The latter wouldn’t help me as an asset owner, and probably doesn’t help the vendors, either.

So there should be some agreement of an SBOM standard, and the National Telecommunications and Information Administration (NTIA) has a dedicated page providing guidelines for software bills of materials. Separately, as noted by EETimes, the National Institute of Standards and Technology (NIST) is preparing guidelines with input from academia, government agencies, and the private sector that will include standards, tools, and best practices, and the draft is scheduled for release by November 8, 2021. If this eventually turns into law, a software bill of material may be required for programs, apps, and even devices’ firmware in the future.

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard

Radxa ROCK 5C (Lite) SBC with Rockchip RK3588 / RK3582 SoC
Notify of
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
2 years ago

People can never have the best security, Governments don’t allow it.

2 years ago

Recent example is the Australian gov’s “Anti encryption law”

2 years ago

Oh yes, you can, just disable that WiFi and pull that RJ45 plug.
Of course that means operators onsite and maybe a closed/isolated network.
(and yes, in that case one can still bring a virus or so in the system through e.g. an infected USB device used for upgrading the software).

The problem is that systems are too easily hooked up to the internet.

(edit: and of course if you have a closed network without outside connections you still need to take care of physical security; and there is also still the problem of the inside man)

2 years ago

History shows us that the old CRT displays image, could be seen from outside the building with the right equipment. Governments have been listening to each others undersea cables for years. Is your suggested setup safe, can we really say, yes?

If cnx software allows the link. Food for thought.

Khadas VIM4 SBC