CISA Says: Generate and Audit a Software Bill of Materials (SBOM) to prepare for the next Log4j

Following the devastating vulnerabilities recently found in Log4j, the Cybersecurity & Infrastructure Security Agency (CISA) in the United States has pointed to the SBOM – called for in President Biden’s cybersecurity Executive Order (EO) – as a way to make remediation of similar vulnerabilities easier in the future.

In light of this, we thought it would be useful to provide an easy overview of SBOMs – what they are, and how to obtain them. 

A software bill of materials provides a structured approach to achieving supply chain security. It increases the transparency into your software components and ensures your products perform securely and as intended. 

This blog talks about how to generate and audit a software bill of materials:

What Is a Software Bill of Materials?

A software bill of materials (SBOM), is a list of components that make up a piece of software. It’s a nested inventory that provides those who create, buy, and operate software with the necessary information to track the supply chain relationships and understand their behavior.

Developers usually create products by bringing together open source and proprietary software components. Software bill of materials is a formal, machine-readable description of the components in the products. 

The idea of SBOM is borrowed from the traditional manufacturing industry in which manufacturers often use a BOM (bill of materials) to list the raw materials and other components required to produce an end product. If anomalies are detected in any aspect of the manufacturing process, a BOM makes it easy to locate and fix issues.

What’s The Need For SBOM?

Let’s talk about some main benefits of creating and auditing a software bill of materials. 

1. Reduces Supply Chain Risks

The software supply chain comprises each non-organic component that goes into the production of a piece of software. It includes pre-built libraries, open source packages, and other third-party resources used to expedite development and improve software quality.

Malicious actors usually implant dangerous code in third-party packages. And when an unsuspecting user installs the infected package, their system gets compromised, leading to a supply chain attack. 

Attacks targeted at the software supply chain are on the rise. Between 2020 and 2021, almost 7,000 software supply chain attacks were recorded.

A major advantage of a software bill of materials is that it increases transparency into the various supply chain components. This enhanced visibility lets software producers, purchasers, and operators better identify and address vulnerabilities.

2. Increases Consumer Confidence

An SBOM is just like a list of ingredients on a food packet; consumers usually consult the labels before making a purchase decision. Similarly, software buyers can consult an SBOM to perform vulnerability analysis and determine the suitability of the product. 

Consumer confidence is particularly important in today’s software industry where attackers like targeting open source components to infiltrate the software supply chain. With the massive use of open source codebases in software development projects—from 36% in 2015 to 75% in 2020—they offer a lucrative opportunity for attackers to inject vulnerabilities and compromise the supply chain. 

Creating an SBOM is a proactive approach to understanding the supply chain and ensuring its various components, including open source codebases, are safeguarded from attacks. This increases the buyers’ confidence in consuming the software.

Additionally, an SBOM can be pivotal when an organization is conducting due diligence for merger and acquisition purposes. An SBOM can simplify the auditing process, provide transparency into an organization’s technical proficiency, and build trust with prospects. 

3. Supports Regulatory Compliance

The recent escalation of supply chain attacks, such as the widely publicized SolarWinds attack in late 2020, has ignited a regulatory response from the government. In May 2021, the Biden administration issued an executive order that aimed to improve the US’s cybersecurity defenses. 

The order sets out new security requirements for any software sold to the Federal Government. One such strict requirement is that vendors should include an SBOM to maintain greater transparency into their software and prevent supply chain attacks. 

Given the buying power of the Federal Government, the rest of the software development industry is likely to follow suit and require SBOMs for all critical software. 

Traditional Methods Of Generating SBOMs

The traditional methods of creating a software bill of materials come with several challenges that complicate effective SBOM management. They often introduce several risks and issues that increase the possibility of getting attacked. 

For example, some organizations generate and manage SBOMs manually using spreadsheets or emails. Such methods often lead to several challenges, including the following:

• Managing SBOMs traditionally leads to scaling challenges, especially when an organization gets more supply chain partners, introduces new products, or experiences growth. 
• Using a spreadsheet-based SBOM complicates the tracking of the hierarchical relationships between different software parts. Worse still, if an SBOM document is modified and shared with multiple people, it complicates identifying the latest revised file. 
• Looking for information in a spreadsheet bill of material is tedious and slow, especially if two or more products have some components in common. Even if your organization has a spreadsheet-formula guru, digging into SBOMs does not amount to productive work.

Additionally, some organizations use traditional tools to create and manage SBOMs. That’s another way of doing SBOM incorrectly, and it often leads to several problems, including the following:

• Many tools are not suited for managing SBOMs. For example, they disclose vulnerabilities without giving a clear path of addressing them, they cover only a specific set of programming languages or package managers that leads to incomplete SBOMs, and produce high false-positive rates that misdiagnose libraries and dependencies. Such incompetency exposes organizations to greater risks. 
• Many tools cannot generate SBOMs automatically in a machine-readable format. They cannot also scale to meet emerging software development needs. Such issues often slow down the release process and hurt the organization’s bottom line. 

Best Practices For Generating And Auditing SBOMs

Generating and auditing SBOMs require a modern approach that can help you surmount the challenges of mitigating supply chain risks. 

Here are some best practices for managing software bill of materials:

• Use a tool that supports automation. The Biden’s executive order requires software inventories to be automatically generated in a machine-readable format. If you use a tool that does not support full automation, you will not meet the requirements. You can also create loopholes for attackers to harm your supply chain.
• Use a tool that supports continuous remediation. You need a tool that continuously discovers and addresses supply chain risks. It should assist you in avoiding harmful components at the sourcing stage and continuously alert you when any anomaly is detected during development or production. It should also be capable of identifying risks in downstream components in case an upstream component is infected. 
• Use a tool that covers all aspects of an SBOM. You need a comprehensive tool that provides an up-to-date and accurate inventory of your supply chain components. An end-to-end tool will cover all the technology stacks and programming languages used in your organization. Otherwise, you may generate SBOMs that do not paint the correct picture of your software inventories.
• Use a tool that makes your life easy. You need a versatile tool that will point out how to address the identified risks, scale comfortably across your software ecosystem, and produce low false-positive rates. With a good tool, you’ll not need to stop and research how to fix a vulnerability or get insufficient SBOM reports, which can affect the quality of the released software.

How Mend SBOM Can Help

Mend SBOM is a modern, remediation-centric tool that can help you implement SBOMs and ward off supply chain attacks. It focuses on the open source components of your supply chain and provides deep inspection that allows you to identify vulnerabilities in your applications.

With Mend SBOM, you can swiftly and easily produce a software bill of materials that reveals all open source libraries, tracks and documents direct and transitive dependencies, and automatically updates whenever a change is detected in any component. If it discovers a vulnerability, the tool recommends a safe remediation path that ensures no breakages to the build. 

It’s the tool you need to automatically generate accurate and comprehensive SBOMs and take your application security to the next level. 

Meet The Author

Alfrick Opidi

An experienced full-stack web developer with a deep interest in taking technical information and converting it into easy to understand content. Alfrick ןד a technology enthusiast who explores the latest developments in the industry and presents them in a relatable, concise, and decipherable manner.