From the course: Cybersecurity Foundations

Ensuring supply chain security through SBOMs

From the course: Cybersecurity Foundations

Ensuring supply chain security through SBOMs

- [Narrator] There's been an increasing level of concern in governments about the potential for cyber attacks through the supply chain. A particular issue is the risk of malicious changes to open source libraries used to build software. As a result, the 2021 executive order on improving cybersecurity directed that vendors will provide details of the software components used in their solutions. The order directs vendors to provide a purchaser, a software bill of materials, or SBOM, for each product directly, or by publishing it on a public website. Pursuant to this requirement, the Department of Commerce issued a publication entitled The Minimum Elements for a Software Bill of Materials. This publication covers three areas, the data fields required in an SBOM, support for automating SBOM management, the practices and processes relating to SBOMs. The data fields in the SBOM must contain sufficient information about each component to enable purchasers to track them across the software supply chain. The SBOM may also include other non-mandatory identifiers. Specifically, the baseline component information includes the vendor or supplier name, the component name, the component version, other identifiers such as vulnerability and license database keys, dependencies with other components, and an author and timestamp for the SBOM entry. Vendors must provide support for automation so that SBOM management can be scaled across the software ecosystem. Tooling of SBOM data management requires well-defined data formats and API specifications. There are currently three main SBOM data formats, which are both machine and human readable, and these are interoperable, the Software Package Data Exchange or SPDX formats, CycloneDX, and the Software Identification. The third area of guidance is in respect of practices and processes relating to SBOM use. These include a new SBOM must be produced to accompany a new release of the component, all top level component details together with their dependencies must be provided to enable lower level dependencies to be found recursively. Any unknown component dependencies must be detailed. SBOMs should be available in a timely fashion, either by accompanying the software or being accessible, for example, on the vendor website. And where a vendor wishes to control access to their SBOM data, accommodation must be made for purchasers to gain access to and use that data. Beyond the minimum elements, vendors are encouraged to provide additional information such as references to component entries, invulnerability databases, and license conditions. Providing assurance information such as a hash value of the component is also recommended. The way in which component vulnerabilities in software as a service is managed is different to that of on-premise products. The vendor must assert that they have defined and will manage their SBOM in line with the minimum element guidance.

Contents