Protecting the supply chain with a software bill of materials
- By Susan Miller
- Feb 22, 2021
One way to prevent supply chain hacks would be with a software bill of materials (SBOM), a mechanism that would allow organizations to find out if any of the software they use has been affected by a specific vulnerability.
The National Telecommunications and Information Administration is in the process of helping various industries develop SBOM, or a formal record of the details and supply chain relationships among the various components used in software. These components, according to NTIA, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.
Currently organizations looking to find and manage vulnerabilities check the National Vulnerability Database for Common Vulnerabilities and Exposures, but without a SBOM, there’s no way to identify the components of a software package. A SBOM would give developers, buyers and users of software a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks.
Creating the concept, interoperable data standards, best practices and market expectations for SBOM across industries is a massive challenge.
Licensing concerns and open source restrictions present hurdles, as do requirements for machine readability, modularity and scalability, but those obstacles can be overcome with technical and operational innovation and interoperability, according to Allan Friedman, NTIA’s director of cybersecurity initiatives.
Medical device manufacturers jumped on the SBOM train in 2018, standardizing data from specific devices that could be shared with the hospitals, which in turn use it for specific use cases,” Friedmand said at a recent FCW supply chain security workshop. “Meanwhile the manufacturers can also use this data generation process to better understand their supply chain.“
The automotive sector is likewise jumping on board so automotive suppliers and OEMs better understand what's in their software and quickly mitigate vulnerabilities.
Building on the work of the health care sector, the energy industry is planning a proof of concept in which software suppliers and users will work together to develop and test formats and procedures for production and use of SBOMs, according to a blog post by Tom Alrich, a security consultant for the power industry.
Interoperability is critical, even as various industries explore their own SBOM use cases.
“We've adopted a position of radical ecumenicism,” Friedman said. “Our interest is to help those communities work together and indeed they are.” Rather than seeing other industries as competitors, he said, “each brings different things to the table, and that's great.”
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.