Agencies still seek software bills of material, not bills of goods

Software bills of materials. The code ingredients in software. They've become the object of study as a way to discover cybersecurity vulnerabilities.

Software bills of materials. The code ingredients in software. They’ve become the object of study as a way to discover cybersecurity vulnerabilities. Agency tech staffs find getting them is one thing. Making sense of them is something else. To help, the Cybersecurity and Infrastructure Security Agency recently held an online event it called the SBOM-a-Rama. Joining the Federal Drive with Tom Temin with what you might want to know, CISA cyber innovation fellow and chief security advisor at Endor Labs, Chris Hughes.

Interview Transcript:  

Tom Temin So when it comes to s bombs, this is something I think it’s fair to say. People can gather them, but they don’t know what to make of them when they get them. Is that kind of the condition of life now?

Chris Hughes Yeah, that’s what many organizations and the industry would tell you. You know, it’s kind of state of things. We initially saw a of push to get the SBOM as an artifact, you know, simply because we lack transparency and incidents like Log4J and SolarWinds, you had folks scrambling to get transparency around software they consume it from the open-source ecosystem. So now everyone has pushed to get these artifacts. But now it’s kind of a game of, you know, what do you actually do with it? How do we ingest it, enrich it, analyze it, make sense of it, and drive value.

Tom Temin And define that? Most of the SBOM suppliers, that is, the people that are asked for them by the government or by other large organizations use the standard formatting. There’s a couple of different standards for SBOMs such that they are easily digested. Is that pretty much conformance there?

Chris Hughes Yeah. That’s correct. The two leading industry standardized formats are what’s known as CycloneDX from the OWASP organization and then also PDX from the Linux Foundation. And the industry has rallied around those two primary formats. There are, you know, another 1 or 2 that have been discussed and use at some point, but those are the two that the industry has set around at this point. And most organizations are using tools that either produce them in one or both formats. And are these readable? I mean, is there an SBOM that you can if you have SPDX reader or a Cyclone reader on your machine, what does it look like? Is there anything visible to the human eye?

Chris Hughes Yes, thankfully it’s going to break down, you know, in a piece of software. What are the components that are in that within that piece of software from an open-source perspective? And even first party code might help you understand, you know, what are the nested ingredients that make up this piece of software? And then also, you know, you can get information such as what are the vulnerabilities associated with those components. So, you can still get a handle on what they call the software supply chain of understanding. You know, what software we consume, what vulnerabilities are associated with it. You know, where do we have risk and concerns and help position you to actually do something about that.

Tom Temin So these formatting standards then are designed to reveal the source of the code, not just the name of whatever block of code is part of it.

Chris Hughes That’s correct. You know, essentially what we’ve rallied around so far is the organization known as NTIA, where a lot of the SBOM momentum started within government several years ago, defined what they called the NTIA minimum elements for an SBOM. And they’ll give you various information such as the supplier, the component name, you know, source, and so on. And people can start to use that to understand, you know, the pedigree provenance of these components. You know, where they came from, what their names are, who supplied them, etc., in addition to, you know, vulnerability information as well.

Tom Temin Well, then you would need to link that to some other source to know whether the components that you’ve identified or what you want or not. That is to say, the SBOM will not tell you about the vulnerabilities in it.

Chris Hughes Yeah, well, it can you can start to identify vulnerabilities in those components. You know, looking at something like in this National Vulnerability Days database. But you did make a comment about whether you want the components or not. And that’s kind of the complexity of the issue here is if you’re consuming software from a secondary or third party, you know, supplier of a product, for example, and they shouldn’t they provide SBOM of fore said product. It’s going to have components in there that you essentially have no say whether you, you want them or not. They’re basically integrated into the product. It now just gives you transparency and visibility of what’s underneath the hood of that product, in terms of how much of the product is composed of open-source software, you know, what vulnerabilities those components have, and so on. It does put you in a position, though, that you weren’t previously, and where now you can have a conversation with the supplier to understand, you know, where are they on track to, you know, remediate vulnerabilities or mitigate risk in the product or even, you know, potentially replace a component if it’s outdated, it has number of vulnerabilities associated with it and so on.

Tom Temin We’re speaking with Chris Hughes. He’s chief security advisor at Endor Labs and a cyber innovation fellow at the Cybersecurity and Infrastructure Security Agency. And it sounds like SBOM analysis, if you will, and SBOM, you know, deriving information from it, is kind of a specialty field all in itself.

Chris Hughes Yes. Its definitely grown into that. If you look at the, you know, kind of startup ecosystem where some of the venture capital has been going, you attend, you know, some of the biggest industry events like RSA and Blackhat. You’ll notice there’s several firms that have kind of standardized themselves in a niche around SBOM analysis, you know, storing SBOMs, you know, ingesting them from other sources, helping you produce, you know, visibility and reporting around the components and aggregate those SBOMs, you know, to give you kind of a holistic, you know, kind of enterprise risk management perspective around those SBOMs and associated vulnerabilities with them and the suppliers you got them from and things of that nature.

Tom Temin And these well, it was called the winter s bomb arama. So, I guess that means there’s a spring and a fall SBOM a-rama from CISA. What happens with those things? They’re online, right?

Chris Hughes Yeah they are. So, this is essentially an opportunity to bring together stakeholders from both government and the private sector on the industry side. And you have representation from, you know, the organizations I talked about, like the Nix Foundation and OWASP and others who are leading the formats and work around SBOM formats. But you also have folks from different ISACs and community groups who are using SBOMs for various purposes, whether it’s in the financial community or the medical device community or private sector organizations, as well as representatives within government and Department of Defense who all have an interest essentially in software transparency, software supply chain security, and using SBOMs as a piece of that to mitigate risks. They all come together, talk about the progress they’re making, you know, challenges that remain tertiary, issues around things like software identification, you know, that relate to the concept of, you know, software supply chain as from and it kind of brings the industry together, both in the public and private sector side, to collaborate around that topic.

Tom Temin There must be a Reddit group for SBOMs somewhere down there.

Chris Hughes Oh, almost certainly there’s some. There are several Reddit subreddit type groups out there, other folks that are tackling this challenge. You’ll find a lot of conversation among industry groups, conferences, industry events. And yeah, it’s a very hot topic for sure.

Tom Temin Are any major software publishers reluctant to issue SBOMs because the customer could find out that the vendor didn’t supply really any of its own coding, but simply assembled a bunch of stuff out there in open source, and maybe put a nice front page on it for the welcome page. Otherwise, you know, where’s the value add? Yeah, there’s plenty of folks, you know, and obviously they won’t necessarily say that openly, but there’s plenty of folks who say that the industry pushback, or at least you know what industry pushback there is around SBOMs, and transparency is due to facts such as that. They’re concerns that, you know, organizations are simply concerned that people are going to realize that they largely have compiled a bunch of open source and put, you know, a little bow on top of it, maybe a custom proprietary code at some point, but largely it’s open source components. And also additionally, they may have concerns around, you know, pulling the curtain back and saying, hey, we have a whole bunch of outdated, poorly maintained and vulnerable components in this product, and we simply don’t want to provide that level of transparency. You know, they don’t say it like that, but there is a lot of suspicion that, you know, pushback around transparency isn’t because of intellectual property concerns or, you know, things like that, but it’s actually, you know, pulling back the curtain and showing that, you know, you did not create this or it’s poorly maintained and poorly secured.

Tom Temin Yes. If you’re old enough, you remember the great scandal of the Oldsmobiles with the Chevy engines in them. It was a big deal back, I guess. Must have been in the 1980s. All right. So, at the most recent SBOMs a-rama, anything earthshaking come out. Any new learning that the industry should be aware of?

Chris Hughes Yeah, I think the biggest takeaway was what we started the conversation with, you know, previous events like this. It was a lot of education around what this problem is or why you even need to have it, or why this is important. And now the conversation has significantly matured where everyone understands why, why we should have it, what it is, the purpose it serves, and people are looking at innovative ways to use it in broader, you know, things like cybersecurity, supply chain risk management or vulnerability management in enterprise risk management, integrating it into those programs, as well as activities like procurement and acquisition, even mergers and acquisitions as well. You know, and we’re seeing a lot of innovation and progress within certain communities like the financial sector or the medical device community. We had representation from the Department of Defense. They’re using it for various purposes, from the resilience perspective, as well as like authorizations of systems that go into production and so on, as there’s a lot more maturity around not just what it is, but how to actually use it to provide value and drive more secure outcomes.

Tom Temin And by the way, he’s at SBOM a-rama with an A or SBOM o Rama.

Chris Hughes I believe it has an A. Yeah, I hope I’m right, but I’m almost certain, hasn’t it?

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories