One way to prevent supply chain hacks would be with a software bill of materials, a mechanism that would allow organizations to find out if any of the software they use has been affected by a specific vulnerability.
One way to prevent supply chain hacks would be with a software bill of materials (SBOM), a mechanism that would allow organizations to find out if any of the software they use has been affected by a specific vulnerability.
The National Telecommunications and Information Administration is in the process of helping various industries develop SBOM, or a formal record of the details and supply chain relationships among the various components used in software. These components, according to NTIA, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.
Currently organizations looking to find and manage vulnerabilities check the National Vulnerability Database for Common Vulnerabilities and Exposures, but without a SBOM, there’s no way to identify the components of a software package. A SBOM would give developers, buyers and users of software a way to track software dependencies across supply chains, manage vulnerabilities and anticipate emerging risks.
Creating the concept, interoperable data standards, best practices and market expectations for SBOM across industries is a massive challenge.
Licensing concerns and open source restrictions present hurdles, as do requirements for machine readability, modularity and scalability, but those obstacles can be overcome with technical and operational innovation and interoperability, according to Allan Friedman, NTIA’s director of cybersecurity initiatives.
Medical device manufacturers jumped on the SBOM train in 2018, standardizing data from specific devices that could be shared with the hospitals, which in turn use it for specific use cases,” Friedmand said at a recent FCW supply chain security workshop. “Meanwhile the manufacturers can also use this data generation process to better understand their supply chain.“
The automotive sector is likewise jumping on board so automotive suppliers and OEMs better understand what's in their software and quickly mitigate vulnerabilities.
Building on the work of the health care sector, the energy industry is planning a proof of concept in which software suppliers and users will work together to develop and test formats and procedures for production and use of SBOMs, according to a blog post by Tom Alrich, a security consultant for the power industry.
Interoperability is critical, even as various industries explore their own SBOM use cases.
“We've adopted a position of radical ecumenicism,” Friedman said. “Our interest is to help those communities work together and indeed they are.” Rather than seeing other industries as competitors, he said, “each brings different things to the table, and that's great.”
NEXT STORY: Login.gov opens to state and local programs