SBOMs’ Role in Open Source Security

When the Cybersecurity and Infrastructure Security Agency (CISA) announced its guidelines to promote better security of the software supply chain, the agency touted the software bill of materials (SBOM) as “a key building block in software security and software supply chain risk management.”

One of the key areas in CISA’s strategy is to improve security around open source software, and it is expected that the SBOM will play an important role.

What is the SBOM?

The SBOM is a list of all the components and dependencies that make up a piece of software, including both open source and commercial software components as well as any in-house developed libraries.

“The purpose of an SBOM is to provide transparency into the software supply chain and help organizations manage the security and compliance risks associated with third-party software components,” said Anthony Tam, manager, security engineering at Tigera, in an email interview.

Having a complete and accurate list of all software components and dependencies gives organizations true insight into all the components that make up their software and makes it easier to spot any potential security vulnerabilities.

“This information can be used to prioritize security patches and updates, track and manage vulnerabilities and monitor compliance with relevant regulations and standards,” said Tam.

SBOMs build out a list of the packages and shared libraries used in each application along with their version number and this information makes it more efficient to address flaws in the code. If a vulnerability is released for a specific package, you can take action to remedy the problem by either updating that package, removing it or contacting a vendor to see if a new patch is available to remediate the vulnerability.

“Having that bastion of knowledge available at a moment’s notice before public lists of known vulnerable software applications are posted enables users to protect themselves and mitigate the impact of being exploited sometimes even before a vendor knows,” said Matt Psencik, director, endpoint security specialist at Tanium, during an email conversation.

SBOMs’ Value for Open Source Security

Open source software is the foundation of many commercial applications. Developers rely on open source because it is a lo-cost or free way to build out their applications. Because it is open for anyone to use, change or to build upon, it’s also easy to miss holes and flaws that could lead to exploits and data leakage. Because a single line of open source code can be used in so many applications, it broadens the attack landscape for threat actors.

“When you have an SBOM, you can peer into your commercial apps that use these open source projects,” said Psencik. You can see if your code is vulnerable and put mitigation strategies in place immediately rather than wait to be notified by the app vendor.

In addition to targeting open source vulnerabilities, SBOMs are also critical to addressing IoT/OT vulnerabilities. “Even if the SBOM analysis process does not take into consideration the severity of the vulnerability, it is a highly valuable approach,” explained Bud Broomhead, CEO at Viakoo. “Speed of locating vulnerable devices is especially important in IoT/OT environments where multiple makes and models of devices might carry the vulnerability.”

Enforcing the Use of SBOMs

CISA’s advocacy of SBOMs includes facilitating community engagement, development and processes and showing new use cases and technologies. NIST also has a framework for SBOMs. And the White House’s executive order to secure the software supply chain includes a directive to develop and publish minimum SBOM requirements for software purchased by the federal government as well as encouraging private sector companies to adopt similar practices to improve software supply chain security.

“The enforcement of SBOM requirements for open source software is becoming increasingly important, particularly as more organizations are adopting open source software as part of their software development practices,” said Tam.

“Many open source projects already provide an SBOM as part of their release process, and some organizations are requiring the use of SBOMs as a condition of using open source software.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba