With software supply chain attacks ramping up — and presenting a very real new risk category for security teams and CISOs — software bills of materials (SBOMs) are getting the nod from both government and industry experts as a "no brainer."
SBOMs have become an essential talking point in the conversation on how to best secure the software supply chain. At MITRE’s Supply Chain Security Hot Topics Summit 2022, a panel discussion, moderated by MITRE’s VP of Cyber Technologies Wen Masters, Ph.D., featured both private and public sector officials who all had something to say about SBOMs.
The MITRE panel comprised of three top experts in the field of software supply chain security: Allan Friedman, a Senior Advisor and Strategist at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Michael Worden, a Technical Director at Raytheon Technologies, as well as Brian Knight, a Principal Product Manager at Microsoft. The panel demonstrated industry and government agreement on a key point: SBOM adoption is essential for securing the software supply chain.
Here are four key takeaways from the MITRE panel.
1. SBOMs are a ‘no-brainer’
As we have discussed before, SBOMs serve as a great first step for any organization that produces or uses software. Similar to the iconic black-and-white food nutrition label, SBOMs comprise a list of a software package’s ingredients, and classifies these components regarding their origin and severity.
As a part of his role at CISA, Friedman has become the federal government’s SBOM ‘cheerleader.’ In the beginning of MITRE’s panel, Friedman prefaced his SBOM talking points by defining SBOMs, as well as mentioning the importance of the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity (14028). This Executive Order served as the catalyst for a string of official documents being released by the federal government meant to craft policy on securing the software supply chain.
These federal guidelines include the National Institute for Standards and Technology’s (NIST) Secure Software Development Framework, the Enduring Security Framework working panel’s report on “Securing the Software Supply Chain” (PDF), as well as the Office of Management and Budget’s (OMB) Memorandum M-22-18 (PDF). Each of these federal guidelines cites the use of SBOMs as being helpful in mitigating software supply chain risks.
While SBOMs are a relatively new concept, Friedman said that organizations should move quickly to embrace them.
“There is no reason why any organization that has non-trivial security maturity, cannot start producing SBOMs based on their software, asking for SBOMs from their suppliers, and beginning to consume them."
Raytheon's Worden offered the practitioner’s perspective as a leader in the cybersecurity industry, largely echoing Friedman’s points.
“As a security engineer, we’re never certain… We focus on the burden of truth… [An SBOM] helps us get to a burden of truth."
Speaking about the power of SBOMs, Worden highlighted the importance of transparency for security practitioners and the rest of the industry. He believes that SBOMs have the ability to cast light onto what can possibly compromise any software package, making it an essential tool for practitioners.
“SBOMs’ power is that it can apply to the entire world of software,” allowing security practitioners, regardless of their industry, whether it be medical devices or financial technology, to gain visibility into the software they rely on, Friedman said.
2. There's much more to do on SBOM adoption
While efforts to secure software and embrace the use of SBOMs are moving in the right direction, more work is needed to increase SBOM adoption and make them both practical and useful, the experts agreed.
For example, Worden stressed that security practitioners need visibility into the data that can depict software supply chain risks: “The next step is to… push the development of useful analytics,” he said. Tools such as SBOMs will only help improve software security if the software industry as a whole is actually willing to generate and use them. Until adoption is high, security practitioners will continue to be left in the dark when assessing software supply chain risk, the experts agreed.
That was also one conclusion of a Dimensional Research survey that found that only 27% of software organizations generate and review SBOMs. Additionally, an overwhelming 9 in 10 software professionals warned that the difficulty to create and review SBOMs is increasing.
3. Automation is a must
With the threat landscape and development environments constantly changing, automation is key if SBOMs are to be effective, the experts agreed.
"If we’re not able to do this through automated tools at scale, we will fail.”
At the practitioner level, Worden also shared concern towards a lack of automation: “How do you automate this, so that we can respond at the speed that software is evolving?”
Both Friedman and Worden, representing government and industry, agreed that at the micro and macro level, SBOMs absent of automation will lead software security efforts down the wrong path.
4. SBOMS need to evolve alongside risks
As the industry continues to learn more about risks to the software supply chain, SBOMs will also need to evolve, the experts agreed. “We expect the set of what constitutes an SBOM to increase,” based on past requirements for SBOMs set in 2021 that are no longer adequate, Friedman said.
The developing trends around SBOM use demonstrate that securing the software supply chain will be a journey, Friedman said. That means the software industry is going to have to adapt SBOMs alongside the changing threat landscape in an effort to support security practitioners.
“We need to tell some better stories about what SBOMs mean.”
- Join Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your app sec
- See Special Report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key