“What do you mean, you don’t know what’s in your software?”
— Allan Friedman, Senior Advisor and Strategist at CISA.
SAN FRANCISCO, June 2022 – Of all the supply chain topics covered at this year’s RSA Security Conference, software BOM was very popular, especially when it comes to supply chain protection. software supply.
For example, during the four days of the conference, Allan Friedman, PhD, was all over the conference, speaking and attending SBOM-focused events. As a senior adviser and strategist for the Cybersecurity and Infrastructure Security Agency (CISA), Friedman is often called the father of SBOM.
On the Tuesday morning of the show, he presented a Expert Group critical infrastructure partners from the Department of Energy, Schneider Electric, and Idaho National Laboratory to talk about securing code for critical infrastructure. But first it started with an update on data formats to view SBOM output in machine-readable formats, as well as automation and integration progress.
Maturation of SBOM
A key takeaway from the panel is that SBOMs are coming of age. Panelists discussed how the energy industry attempts to derive specific value from SBOMs to identify weaknesses and protect infrastructure. Virginia Wright, energy portfolio manager at Idaho National Labs, explained it this way: “We realized we had to know the ingredients of our software, and so now we’re consuming the data to get the most out of it.”
The blame, they all agreed, lies with software vendors, who usually don’t know what’s in their own software, especially the open source components of the software. And with these components increasingly under attack (as well as the public and private libraries hosting these components), full transparency about the origins of these programs and their known vulnerabilities is essential, they say.
Pro tip: Look at this Googleblog on integrating SBOM output with vulnerability management data for more visibility into where to make repairs.
Specific to the energy industry, software vendors need to understand the challenges of patching and updating their software and firmware, which typically have an average lifecycle of decades, said Cassey Crossley, vice president and Deputy Head of Product Safety at Schneider.
In terms of lessons learned and future applications of SBOMs, panelists discussed the need to better integrate SBOMs into OT asset and change management systems, which at least one vendor interviewed at RSAC understands. Casey Ellis, CEO of Bugcrowd, said his company prioritized features to reduce loads on DevSecOps when bugs are found, hold developers accountable and engage security operations with development.
Software, firmware, hardware and beyond
During Tuesday’s energy panel with Allan Freedman, panel experts also considered SBOMs that go beyond commercial applications to include open-source components. They believe that SBOMs should also be used by integrators who develop APIs. Beyond software and firmware, these experts also agree that SBOMs should extend to hardware, which would provide a complete and integrated picture of the technology stack.
As SBOMs become increasingly common in third-party commercial applications, they must also overcome negative perceptions that SBOMs deconstruct secret software ingredients and allow competitors to copy valuable intellectual property. But Wright likened that argument to concerns from food producers that they were giving away their recipes when consumer protection rules required them to list their ingredients on the label. It’s a basic safety issue, she says, and it’s just a list of ingredients, not the recipe for how to combine them. Same with code, SBOMs won’t include where and how the code was put together, just what’s in it.
In another session on build trust systems, Bob MartinSenior Software and Supply Chain Assurance Engineer at MITRE, spoke about reusing collected SBOM information for risk modeling, which MITER intends to automate and integrate in the fall.
While SBOMs were high on the list of topics at RSA this year, zero trust was the most popular topic covered in sessions and on vendor booths. But even then, SBOMs surfaced in discussions, because SBOMs speak to the very core of Zero Trust, which protects the codebase running critical infrastructure.
Pro tip: To learn more about using SBOMs, read GrammaTech’s information Blog on SBOMs used across the software stack.
*** This is a syndicated blog from the Security Bloggers Network of Left shift written by Deb Radcliff. Read the original post at: https://shiftleft.grammatech.com/sboms-go-prime-time-at-rsac-2022