In 2011, billionaire software developer and Netscape co-founder Marc Andreessen wrote a seminal article for the Wall Street Journal about “the software revolution.” He began the piece by proclaiming, “Software is eating the world.”
More than a decade later, software is everywhere and is going nowhere, leading increasingly to very real concerns about software supply chain security.
“So the model starts with transparency,” said Allan Friedman, senior adviser and strategist with the Cybersecurity and Infrastructure Security Agency, whose years in the cybersecurity world, complemented by his Harvard doctorate in Public Policy, position him well in this time of never-ending security issues.
After transparency and knowing what you have, he said on Federal Monthly Insights – Securing the Supply Chain, “…it moves onto understanding what are some of the assurances we can say about how that software is created and then then looking to the future, trying to understand how the quality of the software that we use can be better and more secure.”
At federal agencies, people buy software and, in some cases, they develop their own software, doing their own coding. The former approach became unequivocally precise a couple of years ago.
“In terms of what we buy, that was laid out by the White House and Executive Order 14028 of 2021,” Friedman said.
“The goal there was to say, ‘Hey, let’s put some basic standards, some minimum thresholds on what we’re buying. So you got to be this high to ride,’” he said on the Federal Drive with Tom Temin.
Nothing in EO 14028 should surprise anyone who has thought about security, Friedman said.
“Are you using decent authentication? Are you using basic analysis tools that have been around for, you know, a decade. And, of course, near and dear to my heart, do you actually know what is in your software,” which is the idea of an SBOM.
The software bill of materials or SBOM is a key building block in software security and software supply chain management.
“That’s the core behind an SBOM. It’s a data layer that says this piece of software uses these other pieces of software, which uses other pieces of software. Software today, even in very developer heavy environments, isn’t written from scratch. It’s assembled from lots of other pieces, both proprietary, and of course, open source,” Friedman said.
Friedman said having an SBOM, and knowing that if someone might ask for it, means companies will invest more in their software development practices.
“Alternatively, if they already have great software development practices, they should be able to trumpet it and use that as a competitive advantage when selling to our agency,” Friedman said. “And then for folks who buy software, or who are selecting open source, again, you want to say, ‘Are there risks even before I’ve signed on the dotted line? And indeed, why would I buy from someone who couldn’t tell me what they were selling me.’ And so again, it’s a way of rewarding organizations that have invested in good product security.”