In response to the solarwinds and Log4j hacks, the White House issued Executive Order 14028 on Improving the Nation’s Cybersecurity a little more than a year ago.
In that order, the direction to strengthen software supply chain security, and particularly the adoption of the Software Bill of Materials, was given significant emphasis (SBOM).
Commercial software often lacks transparency, due attention to the program’s ability to withstand assaults, and adequate safeguards against tampering by unauthorized parties.
An SBOM, which is effectively a catalog of the program’s components, libraries, and ingredients, should potentially allow organizations to determine which open-source and commercial third-party apps comprise an enterprise software package.
As the security strategy goes past the definitions stage and into actual implementations, the following nist sbom guidance themes should be on every security leader’s radar:
- The front- and back ends of sboms have yet to be determined.
Storage and integrations in sboms will need the use of a secure back-end layer. Developers will want a front end that incorporates security weaknesses without hampering efficiency.
- Automation is critical.
Maintaining terabytes of data and logs that no one is looking at is a waste of time and resources. The federal and state governments will be the principal consumers of sboms as a result of the Executive Order. However, in order for sboms to be successful, they must be designed with automation in mind. The Federal Risk and Authorization Management Program (fedramp) approach must be automated for sboms to thrive in the public sector.
- Constant monitoring may aid in the maintenance of sboms.
Because of the abundance of open source projects, programming language frameworks, and libraries accessible, most organizations were not only uninformed of the Log4J vulnerability, but even when they were, they were unclear of whether or not Log4J was being utilized.
One SBOM feature will be continuous monitoring, which notifies firms not just when something changes that affects their security posture, but also if and where it is operating.
- This will be a tragedy if SBOM information is not standardized.
Cybersecurity leaders should endeavor to standardize and simplify the SBOM process. The worst-case situation is that a complex framework is ignored because no one understands it. Security executives should consider sboms as the first step in safeguarding the software supply chain.
- There will be many SBOM frameworks.
The Open Web Application Security Project (OWASP) and the National Institute of Standards and Technology both employ different frameworks (NIST). The government cannot enforce which SBOM framework a corporation must employ; nonetheless, enterprises must be flexible enough to consider any SBOM framework.
- Improved collaboration between companies and government agencies
The SBOM’s ability to accelerate peer cooperation in security will have a significant influence on the nation. If the cybersecurity profession can increase information sharing on security problems through sboms, the country will certainly see a lot more of this kind of collaboration in safe sectors.
Log4j and solarwinds made the industry aware of the risks presented by insecure software artifacts and the assaults made possible by their transitive nature. Government and industry leaders feel that enterprises should be aware of the contents and locations of the software they employ as the first step in the software supply chain security movement.