As quantum computing threatens to undermine today’s cryptographic standards, organizations must move quickly to achieve crypto-agility and secure their software supply chains. This blog post explores how a Cryptography Bills of Materials (CBOM) offers a structured, standards-based approach to discovering and managing cryptographic assets within software. Also, learn how enterprise security teams can leverage Spectra Assure™ to inventory cryptographic assets at scale, prioritize migration activities using a risk based approach, and take decisive steps toward a quantum-resilient future.
Exploring the Quantum Threat
For centuries, cryptography has been used as a mechanism for protecting the confidentiality and integrity of information. At its core, cryptography relies on mathematical functions to transform human readable data into an encoded string using a variable called a key. The act of encrypting information ensures that only individuals who are authorized to view the data are distributed the key for decoding.
As modern technology has evolved, so have the mathematical algorithms supporting cryptographic methods. This progress has occurred out of a necessity to ensure that aging key systems cannot be cracked. However, it wasn’t until recently that material advances in quantum computing introduced the risk of previously secure algorithms becoming compromised in an accelerated manner.
As quantum resources become readily available to malicious actors, governments and businesses who are obligated by legislative and regulatory bodies to protect sensitive information are scrambling to ensure they can achieve crypto-agility. This requires establishing resilient and agile practices to ensure a business can quickly transition away from insecure cryptographic methods to mitigate the risk of exploitation.
How Can You Achieve Crypto-Agility?
Achieving cryptographic agility is no small task, with strategic transformation programs aimed at updating or replacing existing cryptographic technologies often running for several years. To aid in mapping out these efforts, the UK National Cyber Security Centre has established a set of guidelines to migrate safely to post-quantum cryptography (PQC).
In the multi-year roadmap defined by NCSC, the first milestone involves carrying out a comprehensive discovery exercise. The goal of this activity is to understand your important business services and their supporting systems which depend on cryptographic methods which need to be upgraded to ensure PQC readiness. This includes both in-house developed and externally procured systems and services which you may use to access, process, store or transmit sensitive information.
Think of this as a comprehensive asset inventory, detailing insights of the cryptographic algorithms, certificates, protocols, and other cryptographic materials that these systems rely on. It is critical that this inventory captures the dependencies between components of your systems and services. Understanding these relationships will enable organizations to identify the level of effort required to fix any one component and the ancillary cryptographic services it may depend on.
How Does PQC Apply to Software?
Given that most modern business services and supporting processes run on software, it is vital to confirm the cryptographic assets embedded within them are secure. For example, public key algorithms like RSA, DH, ECDH, DSA or ECDSA are not considered quantum-safe. According to OWASP, these algorithms are commonly hardcoded into software packages or introduced via third party cryptographic libraries or services. Often targeted as the principal attack surface, if not properly secured, software can directly expose businesses and governments alike to quantum threats.
As reported by Utimaco in their PQC Readiness Report, 49% of organizations consider software, firmware, and document signing as one of the most urgent use cases for PQC migration for this exact reason. Organizations recognize their reliance on software to operate critical business functions and their impact if compromised. In response to this known risk, OWASP has expanded on its existing SBOM standard (CycloneDX) to support PQC initiatives in a systematic way by defining an object model to describe cryptography used in software.
Specifically, the new Cryptography Bill of Materials (CBOM) is an industry standard object model describing cryptographic assets and their dependencies. As recognized by NIST, when successfully integrated into reporting and software development, CBOMs provide the potential to enable organizations to manage and report usage of cryptography, benefiting asset inventory activities.
How Can Spectra Assure Help?
Traditional ingredient-only SBOMs lack context and do little to address emerging risks. The Spectra Assure SAFE report includes the most comprehensive SBOM and risk assessment of an application to identify malware, tampering, suspicious behaviors, and more. With expanded xBOM support, Spectra Assure now offers comprehensive inventories with actionable security assessments for cryptographic assets, helping users reach the first “discovery” milestone in their PQC journey.
For every software package uploaded for analysis, Spectra Assure generates a CBOM. The resulting artifact surfaces hidden cryptographic risks by inventorying all algorithms, keys, certificates, and protocols. This detailed visibility helps identify weak or outdated cryptography to ensure compliance with evolving standards, empower proactive risk management, and safeguard sensitive data across the entire software supply chain. The SAFE report also highlights the component or dependency with the exact file path in the software package where those cryptographic methods are in use. This targeted information enables users to quickly locate and take action on any required issues.
Figure 1: Spectra Assure SAFE Report, visualizing sample cryptographic assets discovered in software
This information can also be exported into a CycloneDX report in .json format, and later imported into databases or other external tools for storage or monitoring given its programmatic structure.
Figure 2: CBOM generated by Spectra Assure in CycloneDX format
How to Operationalize a PQC Migration Plan
At the end of the day, a CBOM is simply a list. Value can only be derived from this list when the business has established PQC migration plans for cryptographic inventories that are aligned to broader organizational resilience objectives. If a business fails to establish migrations plans for inventories assets that are weak or outdated, they will end up supporting legacy software and supporting infrastructure, incurring high operational costs and lack of extended support.
To support this migration plan, a business must establish stringent remediation strategies to enforce based on the cryptographic assets identified and the systems they support. According to the NCSC, several options are available for consideration:
1. In-place migration: Replace the vulnerable cryptographic asset with PQC resilient equivalents, making minimal changes to the rest of the system. In August 2024 NIST announced the approval of three new Federal Information Processing Standards (FIPS 203-205) designed to resist future attacks by quantum computers.
2. Re-platform: Switching the product or service to a new or upgraded platform that does offer PQC compatibility, taking the opportunity this exercise provides to review your broader architectural choices. For example, you might choose to move from on-premises to cloud-based infrastructure.
3. Retire the service: Set a future date for withdrawing it to avoid the necessity for migration.
4. Run until end-of-life: Where a system is likely to be decommissioned or deprecated anyway within a defined timeframe.
5. Tolerate the risk: Continue to operate without a mitigation to the quantum computing threat.
Business Context is Important
When actioning these remediation strategies, it is important to ensure that business context and the supporting control environment is considered. For example, although the use of deprecated cryptographic algorithms (SHA-1, MD5, DES) are discouraged due to their susceptibility to compromise, their presence in software does not necessarily pose risk to the consumer of the application. There are several conditions that may significantly mitigate or entirely neutralize the risk of weak cryptography in use:
- Sensitivity of data being accessed, processed, stored or transmitted by the application
- Functional use case such as an algorithm being used for integrity checks rather than digital signatures or data protection
- In-line software mitigations such as using TLS to secure communication channel
- Compensating controls such as access control, audit logging, and monitoring
In the event that business context is not readily available, for example if the software is third-party developed, Spectra Assure enables organizations to share CBOMs and analysis reports directly with upstream software vendors. This takes the guesswork out of risk management by eliminating uncertainty around whether the use of deprecated cryptographic algorithms exposes sensitive data of the downstream consumer.
The Time for Quantum Resilience is Now
The time to take action is now. According to Utimaco’s report, 54% of organizations plan to migrate to PQC within the next 3 years to keep pace with recommended NIST and NCSC guidelines. One of the main challenges identified by 34% of respondents was an unclear starting point, with practitioners lacking visibility into their cryptographic estate.
If you are ready to migrate towards a quantum resilient future, consider taking the following first steps:
| Step | Task | Details |
| 1. | Build an inventory of cryptographic assets | Generate CBOMs for all software you build or buy. CBOMs play a vital role in cryptographic asset discovery by providing a source of information to populate a complete inventory. |
| 2. | Establish a risk based approach to migration | Develop a sequenced migration plan based on risk, prioritizing cryptographic assets that pose the greatest impact to your business. For example, start with insecure network protocols that may actively expose sensitive data today, before addressing digital certificates, which primarily protect against future impersonation and tampering attacks. |
| 3. | Utilize quantum-safe libraries | Leverage third party libraries which implement PQC. Initiatives such as the Open Quantum Safe project have been established to support the transition towards quantum-resistant cryptographic algorithms through the release of open source libraries prototyping integrations into protocols. For example, adapting TLS 1.3 to be quantum resilient via a fork of OpenSSL. |
As quantum threats begin to materialize, organizations must take immediate steps to identify and remediate vulnerable cryptographic assets within their software. Spectra Assure™ simplifies this process by generating comprehensive CBOMs and providing actionable insights. Contact ReversingLabs to explore how we can support your first steps toward a quantum-resilient future.
