Do you understand the risk in your software sausage?
- By Mike Dager
- Aug 11, 2021
Like sausage, software is made up of many components, perhaps some of dubious origin. Despite the fact that sausages can be a “mystery meat,” they are typically safe to eat thanks to Food and Drug Administration guidelines and oversight.
The software industry, however, lacks an FDA equivalent. Businesses must generally accept that the commercial off the shelf applications they purchase are safe and free from security vulnerabilities. Recent developments like SolarWinds attack, though, are forcing organizations to reexamine the security of their software supply chain. This includes understanding the pedigree of the components that make up software being used in an enterprise. Since an application is only as secure as its least secure component, it’s imperative to know what’s in the software sausage.
Finding out what’s in software, begins with an ingredient list, or a software bill of materials of all components used in an application. Without an SBOM, any quality and security issues associated with components used in a software product present a risk that remains hidden from the end customer. In fact, software developers may themselves be unaware of the vulnerabilities in dependencies buried in the code they reuse.
But a SBOM is more than just a list of software components, it’s a continuously updated catalog of software, version information and known vulnerabilities in the detected components -- including any dependencies. In addition, it can be embedded within each application, making audit requests more reliable.
Vulnerabilities in reused components pose a high risk and create an easily exploitable attack surface for software products. They often exist in older versions of open source or commercial products, are public knowledge and vulnerable to freely available exploit code. Some vulnerable components in existing products have been in the marketplace for years. More often than not, these dependencies aren’t updated, and as new vulnerabilities are discovered, security risks propagate to every copy of a software product ever sold or distributed.
President Joe Biden’s recent cybersecurity executive order has placed software code security under a microscope and raised awareness for the need for a SBOM similar to FDA labeling.
Software really is like sausage, we’re often not completely sure what goes into it. However, the industry is coming around to the fact that we need an equivalent of FDA labeling to manage and mitigate our exposure to security risk lurking in third-party software. It takes constant diligence to make sure reused components don’t become vulnerable to being compromised as new threats emerge.
Integrating software composition analysis into IT risk management processes and procedures to monitor the supply chain for security threats using a constantly updated SBOM is fast becoming a best practice.