Solutions are coming to address the vulnerable, often-attacked software supply chain.

As we reported recently, the vulnerable, often-attacked software supply chain is still very much unsecured. But there is some good news—since we looked at the subject last year, progress has been made on one of the most discussed solutions: the software bill of materials (SBOMs).

SBOMs document third-party software components—including open-source and commercial pieces—embedded in the products of software suppliers. They’re required by all companies selling to the federal government, per a 2021 White House executive order.

Some suppliers are already complying or will be soon. A February survey by the Linux Foundation revealed that 78% of organizations expect to produce or consume SBOMs this year and 47% are already doing so.

That’s a good thing, because the White House just upped the ante. The U.S. Office of Management and Budget is now requiring federal agencies to comply with previously released guidance from the National Institute of Standards and Technology, SP 800-218, for securing software supply chains. That includes getting self-attestations from software producers before using their products. “Software” covers a wide range, including applications, application services, operating systems, and firmware.

However, compliance with the executive order still depends on self-regulation. There are no consequences for non-compliance, Ron Brash, vice president of technical research and integrations for aDolus Technology, said in an interview with EE Times.

“Both asset owners and asset vendors are aware of this,” he said. “Top-tier vendors have been generating SBOMs, but there are still problems in communicating vulnerabilities, in fixing them, or just in the tsunami of issues that come when you start dissecting all your code. The list of components to be documented is potentially huge, and so are all the changes a developer might have made to each one.”

While ideally those who create software should be responsible for providing SBOMs, the question remains of how we can ensure this actually gets done, Jon Jarboe, director of product marketing for Cycode, said in an interview with EE Times. “The direction we’re going in is the expectation that you deliver an SBOM with your code. Once the federal government gets the ability to enforce that expectation and has a standard format for it, the rest of the industry will likely coalesce around that standard and process.”

Open source complicates things

Over 90% of software applications use open-source components, according to a June study by Venafi. So the problem of who’s responsible for updating them—and whether they get updated at all—complicates the creation and use of SBOMs even more.

Most developers never update third-party libraries used in their software, according to a comprehensive June 2021 report from Veracode. That may be partly because not all GitHub repositories are actively maintained or have reputable contributors.

One of the most troublesome examples is the zero-day vulnerability revealed last December in the ubiquitous Log4J Java logging library. “Many companies knew they had Log4J somewhere in their software, but not exactly where,” said Jarboe. “A lot of security teams were scrambling for weeks to figure out where they were exposed so they could apply updates.”

Another consists of attacks taking advantage of vulnerabilities in the NPM Javascript package manager. Some NPM malware has extracted user data from desktop and mobile applications, while other malware exploits harness bugs that let attackers publish new package versions even if they don’t have an authorized account.

Several recent studies report that vulnerabilities in open-source software are declining. That’s fortunate, since a global, cross-industry February study by Revenera, which examined more than 2.6 billion lines of code, found that companies know about only 17% of the open-source components they use.

Standards, tools in the making for SBOMs

A number of different consortia and tools are being created, and standards emerging, to aid software companies and developers in constructing and managing SBOMs and open-source software.

Last year, the Automated Source Code Quality Measures developed by the Consortium for Information and Software Quality (CISQ) became an ISO standard. ISO/IEC 5055: 2021 “measures the structural quality of software based on detecting and counting weaknesses in security, reliability, performance efficiency, and maintainability,” CISQ said in a statement. It’s the first ISO standard that measures software qualities using internal, structural aspects of software instead of how it behaves in operation.

In May this year, the White House became a member of the Open Source Security Foundation, a cross-industry organization hosted by the Linux Foundation. Other members include organizations in software development, cybersecurity, financial services, communications, and academia, such as Google, Microsoft, IBM, Cisco, GitHub, Intel, Meta, Oracle, Red Hat, VMware, Snyk, and JFrog. They are working on software supply chain security initiatives, resources, and training.

Also in May, JFrog, Docker, DeployHub, Futureway, Oracle, and others formed Project Pyrsia. This build network and repository uses blockchain technology to validate the sources and security of open-source software packages.

In July, Microsoft released a version of its internal tool for generating SBOMs as an open-source, cross-platform toolkit. The tool, called Salus, is based on the Software Package Data Exchange (SPDX) open standard for creating SBOMs.

But even if everyone adopts a single standard, such as SPDX, there will still be different interpretations of it, each requiring support, said Brash. “For example, an asset inventory or vulnerability management solution that may utilize SBOMs must support not only SPDX in spirit, but Microsoft’s version, and any other flavors—all of this becoming a nuanced affair, and a challenge for both asset owners and product makers.” Yet a framework that’s too vague could lead to enforcement challenges.

“This is important to consider, because the next problem facing software supply chain security is not generating SBOMs or vulnerability eXchange documents,” said Brash. “Instead, it includes validating their contents for accuracy, cutting through the noise, and coalescing the vast amounts of information into consumable and actionable bites while achieving legislative compliance, whatever that may be.”

Even with standards in place, problems of usage and education remain. “If the product development toolchain incorporates the SBOM generation and it’s automated and easy, developers might use it,” said Brash. “But this is still new to most developers and product development companies.”

On the product development side, in addition to problems such as legacy products, a key issue is how to normalize SBOMs in a program that looks at all product details, said Brash. “How do we get all that data in one place? And how do we present the advantages to developers and product owners in the long term? And the burning question: How do we get people trained for creating and using that data? All of these activities require budget and long-term organizational commitment, assuming that SBOMs become mandatory for critical infrastructure.”

So unless there are clear business motivators, legislation, and commitment by affected organizations, the benefits from using SBOMs won’t happen quickly, even if they are the right thing to do, he said.

Then there’s also the problem of how to track the SBOM after it’s built, said Jarboe. “You don’t know if the SBOM is really complete or if there was a risk you didn’t know about at the time it was built. And you still have to be able to work your way back to that risk when the next zero-day or Log4J vulnerability arises.”

