At its core, a software bill of materials (SBOM) isn’t a new concept. We like to know what’s in the medications we take, and the treatments we apply to our lawns and gardens. Before we watch a film, we often go online to read reviews or the Wiki summary to get a better sense of what we’re going to view.
An SBOM establishes the same level of awareness about software, in the interest of reducing vulnerabilities and risks.
While the fundamental concept isn’t new, the White House’s executive order (EO) last year created greater momentum for across-the-board federal government adoption in the near future. The EO calls for vendors to provide an SBOM to agency purchasers, either directly or by publishing the required information on a public website. It describes the bill of materials as a formal record containing the details and supply-chain relationships of the components used in building the acquired software, as developers often use both open-source and third-party software components. The SBOM is analogous to a list of ingredients on food packaging, according to the EO.
The software supply chain has emerged as a significant concern, with chain-targeted attacks growing 300 percent from 2020 to 2021. The EO notes that buyers can use the SBOM to perform vulnerability or license analysis to evaluate risk in a product.
In December, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said that the widespread Log4Shell vulnerability underscores the urgency for an SBOM. The CISA statement said an SBOM would provide end users with the transparency they require to know if their products rely on vulnerable software libraries.
Successful governmentwide implementation should benefit agencies and vendors. From a vendor’s perspective, it would increase visibility and transparency into the composition and security of products, which only adds to their value. From an agency’s perspective, it would bring another layer of protection, which aligns perfectly with zero-trust. In a zero-trust model, organizations want to verify everything, and then verify it again. SBOM adoption drives toward the granular level of awareness and authorization that zero-trust demands.
Broad adoption, of course, will not happen overnight. Nor should it. Federal and industry leaders must work together as partners to execute the following steps as part of an SBOM implementation strategy, to ensure a successful transition for agencies and vendors alike:
- Standardization. Agencies and vendors need to work from the same blueprint. They have to determine together a specific, universal format for the bill of materials. The vendors would use the format throughout the build process, and then the government customer would use it to “read” the products immediately through an automated program, which works regardless of the agency deploying it. Without standardization, there’s no automated way to assess data from different tools and platforms to understand whether they pose risks. Thus, the SBOM will end up as just another “pile on” – yet more data to maintain, but likely not use.
- The assessment of existing systems. Obviously, there’s an abundance of federal technology systems and products already in place without a bill of materials. We need to address those, too. That’s where end-to-end observability – or automatic and intelligent observability – would step in to automatically and continuously scan and report any vulnerable components, which would then be flagged by the SBOM.
- A resolution of competitive issues that SBOMs may raise. Yes, we in the tech industry consider ourselves as partners with the government. We sincerely want agencies to thrive from all of the possible benefits that a SBOM strategy could bring. We realize it’s the right thing to do, and something we all want. But we’d have to agree upon the depth of required reporting. We can develop an “ingredients list” for an automated tool to read. Yet, we’d need reasonable limitations in place so we’re not releasing confidential, proprietary information which our competitors could exploit. That’s a potential roadblock to resolve.
Our dedication to the government goes far beyond contracts and project time tables. As technology practitioners, we seek to make a meaningful difference. We want agencies to digitally transform, while reducing their threat exposure instead of expanding it.
The broad adoption of SBOM policies that are carefully planned – taking into account the critical role of standardization and the inclusion of existing systems, while not negatively impacting competitive business interests – could greatly contribute to such a transformation. It would be good for agencies, our nation, and the world. Again, we know it’s the right thing to do. We just need to do it right.
Willie Hicks, Public Sector CTO, Dynatrace