“We are seeing a lot of requirements for SBOMs coming through in requests for information, requests for proposals and requests for quotes. We’re seeing more and more requests for that,” Scinta said during Federal News Network’s Cyber Leaders Exchange 2023.
“As a matter of fact, last year, one of our technology partners that was going to integrate one of our products into their solution suite requested a SBOM specifically for that product. That put us into the process of now looking at tools we can use to build SBOMs for all our products. We were able to provide that SBOM to our technology partner, who then in turn ran it through some vulnerability testing tools and also used the National Vulnerability Database to provide to us as a source for the input that we gave them as part of the SBOM.”
The broadening focus on the security of software used by government makes sense, Scinta said. Afterall, the cyber strategy aims to shift and rebalance the cyber relationship and realign the incentives. A big piece of that is around the development of and protection of software.
The strategy’s software supply chain risk mitigation objective, developed in coordination with the National Institute of Standards and Technology (NIST), focuses on implementing SBOMs and other efforts to improve open source software security.
Scinta noted that Thales’ experience with the one technology partner spurred the company to incorporate the requirement for a SBOM into its product portfolio roadmap.
“We’ve got a plan for building those SBOMs for each one of the products, and the products that interact with our main products,” she said, adding, “There are some tools in the market that we’ve leveraged to generate the SBOMs. It has to be in an immersive machine readable format when we give it to the customers. We do try to make sure that if there’s any tool that we can use to help us build our response, it makes it easier for us than making it a manual process.”
Viewing SBOMs as an ingredient list
Scinta said agencies and companies should think of an SBOM as an ingredient list for a recipe to create secure software. Like making cookies, combining the ingredients just so results in cookies that are soft and chewy, crunchy or somewhere in between.
She recommends the National Vulnerability Database as a good starting place for SBOMs. NVD — which includes databases of security checklist references, security-related software flaws, misconfigurations, product names and impact metrics — enables automation of vulnerability management, security measurement and compliance.
Scinta said running third-party or open source software through NVD can provide a sense of confidence about the elements of a software product.
But, she said, that’s only one checkbox of many that Thales and others must go through, which is why secure-by-design and secure-by-default approaches are growing in use across the software community.
Scinta pointed to guidance on secure-by-design and secure-by-default software development that the Cybersecurity and Infrastructure Security Agency is working on in conjunction with the FBI, National Security Agency and other cybersecurity authorities across the globe, including organizations in Australia, Canada, Germany, the Netherlands, New Zealand and the UK.
“They all collectively put this together, where it’s developed to focus on shifting the balance of cybersecurity risk from the customer to the vendor, and it’s really like a first of its kind. It’s in a draft form right now. We’re evaluating that to see what we can use as a guidance,” she said. “Secure by design has been in our DNA for years. From a customer’s perspective, how can they leverage that? Because we’re not only developing software and products, so are our customers.”