Do you know what’s in the codebase of the apps your business uses and develops? The extent to which all the components of apps are visible and recorded is a critical indicator of software supply chain security. Whether your company deploys commercial apps or creates them (perhaps both), here’s how a software bill of materials (SBOM) helps you reduce risks from incidents similar to SolarWinds and Log4Shell.
Software supply chain security is a hot topic in the world of infosec. Modern software development practices like Agile and DevOps focus on agility and frequent releases. These practices mean that most apps are no longer monolithic codebases composed of mostly proprietary code.
Today, companies tend to create or use apps that function more like a collection of smaller services that communicate with each other. These services get deployed in virtualized containers that often run on cloud infrastructure.
Furthermore, the code in contemporary apps is often a medley of libraries and frameworks from open source projects and proprietary code written by in-house developers. One estimate puts the number at 70-90% of the average modern app’s codebase being composed of free and open source code that provides ready-made functionality to apps.
While the faster time to market from modern development practices comes with many benefits, the downside is increased levels of security risk in the software supply chain. Even if your business never writes a single line of code, you need full visibility into the software supply chain of the apps you deploy.
Threat actors today increasingly look to exploit weaknesses in the software supply chain. Part of the attraction from a malicious standpoint is the ability to target large numbers of victims at once. Exemplifying this was the 2021 zero-day vulnerability found in the popular Java logging framework Log4j. One vulnerability instantly put thousands of organizations at risk, whether they were using Log4j in their IT ecosystems directly or whether the apps they procured used Log4j.
A software bill of materials attempts to bring visibility into software supply chains by listing all the components present in a codebase. In particular, an SBOM contains the following useful information:
The concept of an SBOM draws inspiration from the bill of materials commonly found in manufacturing processes. In fact, the car you drive comes with a bill of materials that details every component of that car. The visibility provided by this structured, formal inventory makes it easier to track issues and recall defective parts.
An SBOM is hierarchical so that it tracks the relationships between each component. An SBOM should also be machine-readable, which means that you generate it in a specific format. Currently, the two main SBOM formats are CycloneDX and Software Package Data Exchange (SPDX)—the latter is the more complex and granular of the two formats in terms of how it describes relationships between software components.
It’s worth briefly pointing out that a 2021 Executive Order on Improving the Nation’s Cybersecurity contains a lengthy section on enhancing software supply chain security at the Federal government level. A notable quote from this section was the necessity to provide government purchasers of software with “a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.”
If your company develops commercial software solutions but you don’t do any business with the U.S. government, it’s tempting to neglect any need for an SBOM. But in setting this example, companies in the private sector will also increasingly look for an SBOM when procuring software solutions. If you avoid going to the effort of generating this inventory of components in your apps, you risk losing out to competitors.
The general cybersecurity benefits of SBOMs for those who create, purchase and operate software include:
Requiring and/or generating an SBOM for all software will play an increasingly important role in reducing cyber risk at your business in the coming years. Microsoft CEO Satya Nadella’s quote about every business being a software business is true in a world where apps drive both operations and innovation.
At Nuspire, we stand ready to complement your risk reduction ambitions with cybersecurity consulting services. Available expert guidance includes incident readiness, threat modeling, vCISO, security posture assessments and customized approaches to address threats in your specific industry.