There have been some widely publicized hacks in recent months including the SolarWinds hack and the Colonial pipeline cyber attack. Those two were particularly costly and disruptive, and the US government issued an executive order that lists some of the requirements to stretch cybersecurity.
Since there are many attach vectors, the list of requirements is fairly long, but one that caught my eyes in the “Enhancing Software Supply Chain Security” section reads as follows:
(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
Bills of materials (BoM) are commonly used for hardware design, but the idea behind a software bill of materials is to make sure outdated software libraries with known vulnerabilities are not included in a specific program.
The 2021 Open Source Security and Risk Analysis (OSSRA) report exposes vulnerabilities and license conflicts found in more than 1,500 codebases across 17 industries, so beyond the security aspect, a software bill of materials may also help to identify non-compliance with open-source licenses.
As noted in an EETimes article that brought the topic to our attention, SBOMs are not the perfect solution, as software may have a huge list of components, and any changes made by the software company would have to be documented. Compile flags and the specific hardware used make the task even more complex. For example, a kernel may be vulnerable to the Spectre and Meltdown vulnerabilities, but some hardware platforms are immune (e.g. Cortex-A53 processor), so this would have to be taken into account.
Ron Brash, director of cybersecurity insights for Verve Industrial Protection, also told EE Times that you can just provide a list of libraries and other software components, and instead, vulnerabilities must be clearly identified to help users, developers, and asset owners.
I need to have a dashboard view that seamlessly shows me what the risks are, not just a list of software components. The latter wouldn’t help me as an asset owner, and probably doesn’t help the vendors, either.
So there should be some agreement of an SBOM standard, and the National Telecommunications and Information Administration (NTIA) has a dedicated page providing guidelines for software bills of materials. Separately, as noted by EETimes, the National Institute of Standards and Technology (NIST) is preparing guidelines with input from academia, government agencies, and the private sector that will include standards, tools, and best practices, and the draft is scheduled for release by November 8, 2021. If this eventually turns into law, a software bill of material may be required for programs, apps, and even devices’ firmware in the future.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.