Software bill of materials
A software bill of materials[1] (SBOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product.[2][3] It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause an allergies, SBOMs can help companies avoid consumption of software that could harm their organization. The concept of a BOM is well-established in traditional manufacturing as part of supply chain management.[4] A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.
Usage
An SBOM is useful both to the builder (manufacturer) and the buyer (customer) of a software product. Builders often leverage available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.[5] Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.
While many companies just use a Microsoft Excel[6] document for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. SBOMs gain greater value when collectively stored in a repository that can be a part of other automation systems, easily queried by other applications.
Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.[7][8][9]
Legislation
The Cyber Supply Chain Management and Transparency Act of 2014[10] was US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase. It also would have required obtaining SBOMs for "any software, firmware, or product in use by the United States Government". Though it ultimately didn't pass, this act did bring awareness to government and spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017."[11][12]
The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021[13] ordered NIST to issue guidance within 90 days to "include standards, procedures, or criteria regarding" several topics in order to "enhance the security of the software supply chain," including "providing a purchaser a Software Bill of Materials (SBOM) for each product." Also mandated within 60 days was for NTIA to "publish minimum elements for an SBOM."
The NTIA minimum elements were published on July 12, 2021,[13] and also "describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution."
References
- ↑ "Software Bill of Materials". ntia.gov. https://www.ntia.gov/sbom.
- ↑ "Securing A Mobile World". Crosstalkonline.org. http://www.crosstalkonline.org/storage/issue-archives/2012/201203/201203-Croll.pdf.
- ↑ "[Part 2 Code, Cars, and Congress: A Time for Cyber Supply Chain Management"]. http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part2/.
- ↑ "Code, Cars, and Congress: A Time for Cyber Supply Chain Management". http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part1/.
- ↑ "Software Bill of Materials improves Intellectual Property management". Embedded Computing Design. http://embedded-computing.com/article-id/?3826=.
- ↑ "Using Excel for Bill of Materials (BOM) Management". https://www.arenasolutions.com/resources/articles/excel-bill-of-materials/.
- ↑ "Appropriate Software Security Control Types for Third Party Service and Product Providers". Docs.ismgcorp.com. http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf.
- ↑ "Top 10 2013-A9-Using Components with Known Vulnerabilities". https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities.
- ↑ "Cyber-security risks in the supply chain" (PDF). Cert.gov.uk. https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security.
- ↑ "H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress". 4 December 2014. https://www.congress.gov/bill/113th-congress/house-bill/5793.
- ↑ "Internet of Things Cybersecurity Improvement Act of 2017". https://www.warner.senate.gov/public/_cache/files/8/6/861d66b8-93bf-4c93-84d0-6bea67235047/8061BCEEBF4300EC702B4E894247D0E0.iot-cybesecurity-improvement-act---fact-sheet.pdf.
- ↑ "Cybersecurity Improvement Act of 2017: The Ghost of Congress Past". 17 August 2017. https://devops.com/cybersecurity-improvement-act-2017-ghost-congress-past/.
- ↑ 13.0 13.1 "Executive Order on Improving the Nation's Cybersecurity" (in en-US). 2021-05-12. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.