SBOMs Can Help You With Compliance, Too
Software bills of materials (SBOMs) are increasingly hitting the news as the federal government focuses on improving the nation’s cybersecurity. President Biden has identified this as a top priority of his administration, specifically preventing, detecting, assessing and remediating cybersecurity incidents. His executive order directed the Commerce Department and the National Telecommunications and Information Administration (NTIA) to publish the minimum required elements for an SBOM to help create a software supply chain that is more transparent and secure.
From a security standpoint, an SBOM provides a machine-readable description of the open source and proprietary code that makes up a piece of software, including all the components and dependencies. It may also include libraries, frameworks and additional external resources that the software requires to run. This detailed view of the software provides organizations the information they need to determine which components need to be updated or patched when vulnerabilities are disclosed—but SBOMs play a key role in compliance, too.
The Two Sides of an SBOM
If your organization is a software company building software to deliver, it is important for you to provide an SBOM. This bill of materials adds value to the customers you serve because they gain a better understanding of all the components of your software. It helps you show your customers that you are compliant with new requirements for SBOMs and gives them much-needed visibility into the software they are purchasing and using.
As a purchaser of software from other institutions (which every organization is), you need an SBOM to help you govern that software and to mitigate risk. Without this information, it can be incredibly difficult to track down what components are in use and where, as the entire software industry learned when the Log4j vulnerability (CVE-2021-44228) was disclosed in December 2021. Many struggled to find all the instances of the Java-based logging utility because they needed more visibility into all the components of the software in use at their organization. More than a year later, attackers continue to leverage unpatched components belonging to the Apache Log4j software library.
In an analysis of over 1,700 codebases scanned in 2022:
● 96% of codebases contained open source
● 84% of codebases contained at least one vulnerability, while 48% contained high-risk vulnerabilities and
● 54% of codebases had license conflicts.
Organizations rely on software to run and drive business growth now more than ever, so it is imperative to understand the role SBOMs play in both security and compliance.
Stay Compliant With Software Usage Licenses
The software ecosystem today is incredibly complex and interconnected, which can introduce challenges for organizations that need to meet regulations and standards in their industry. For example, the payment card industry data security standard (PCI DSS) requires organizations to have a comprehensive inventory of their software and dependencies. An SBOM helps organizations meet such requirements because it provides an up-to-date list of all the components that make up their software.
In addition, non-compliance with software usage licenses can result in legal or financial consequences. With so many different components in codebases, it can be challenging to ensure that they are complying with all the different open source and third-party licensing requirements. By using an SBOM, organizations can track those licenses to make sure that they are complying with each one. In addition, an SBOM can increase software compliance because it helps organizations identify and address vulnerabilities in their software, something that many regulations and standards already require.
New Regulations Include SBOM Requirements
In September 2022, the Office of Management and Budget (OMB) issued a memorandum to the heads of executive departments and agencies on enhancing the security of the software supply chain. It announced that federal agencies had a year to collect attestations and artifacts, such as SBOMs, from government software vendors to verify that they are adhering to secure software development practices. This March, the administration issued the National Cybersecurity Strategy, which included the objective of mitigating the risks in the software supply chain and improving open source software security.
To be an effective tool, SBOMs must be updated continuously because developers change software much more rapidly than in older software development models. In addition, federal agencies and organizations alike will need to understand the data in SBOMs, which are likely to include components, subcomponents, dependencies, authors, build/version numbers, license terms, time series analysis, maintenance patterns and technical debt. They will also receive SBOMs from multiple sources, including software vendors, contractors and internal software development teams. In this way, increased transparency can also lead to increased complexity. These new regulations will help organizations more fully understand their software supply chain, provided that an internal team is closely monitoring the SBOMs and related compliance and security implications of an ever-evolving software supply chain.
Integrate SBOMs Into Automated Compliance Software
Most organizations have multiple security and compliance tools to keep your compliance documentation continuously up-to-date. In today’s rapidly changing and complex business environment, compliance cannot be an afterthought, and slow, manual compliance processes cannot drive it. Many industries are heavily regulated, and organizations must meet compliance requirements from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Sarbanes-Oxley Act (SOX) and Cybersecurity Maturity Model Certification (CMMC), among many others. To reduce risks, SBOMs can be integrated into automated compliance solutions. This integration will help you prove that you know what is in your software and have the tools to address vulnerabilities quickly, reduce risks and increase your ability to quickly show that you are complying with regulatory requirements.
