Software costs. Code components in software. They have become the subject of study as a way to detect cybersecurity vulnerabilities. Agency technical staff consider getting them one thing. Understanding them is something else. To help, the Cybersecurity and Infrastructure Security Agency recently held an online event it called SBOM-a-Rama. Joining Federal Drive with Tom Temin with what you might want to know, CISA Cyber Innovation Fellow and Chief Security Advisor at Endor Labs, Chris Hughes.
Tom Temin So when it comes to bombs, this is something I think is fair to say. People can collect them, but they don’t know what to do with them when they get them. Are these the conditions of present life?
Chris Hughes Yes, that’s what many organizations and industry would tell you. You know, that’s the way things are. Early on, we saw a lot of push to get SBOM as an artifact, you know, simply because we lack transparency and incidents like Log4J and SolarWinds, people were struggling to get transparency around the software they’re using from the open source ecosystem. So now everyone rushed to get those artifacts. But now it’s a game, you know, what do you actually do with it? How we enter it, enrich it, analyze it, give it meaning and create value.
Tom Temin And define it? Most SBOM vendors, that is, people who request them from government or other large organizations use standard formatting. There are several different standards for SBOMs so they are easy to digest. Is it quite coordinated?
Chris Hughes That. That’s right. The two leading standardized formats in the industry are what is known as CycloneDX from the OWASP organization and then PDX from the Linux Foundation. And the industry has gathered around those two primary formats. There are, you know, 1 or 2 more that have been discussed and used at some point, but those are the two that the industry has set up around this point. And most organizations use tools that produce them in one or both formats. And are they legible? I mean, is there an SBOM that you can if you have a SPDX reader or a Cyclone reader on your computer, what does that look like? Is there anything visible to the human eye?
Chris Hughes Yeah, luckily it’s going to break, you know, in the software part. What are the components that are in that piece of software from an open source perspective? Even with the first party, it might help you understand, you know, what are the nested ingredients that make up this piece of software? And then also, you know, you can get information like what vulnerabilities are associated with those components. So you can still get to grips with what they call understanding the software supply chain. You know what software we use, what vulnerabilities are associated with it. You know, where we have risks and concerns and help you do something about it.
Tom Temin Therefore, these formatting standards are designed to reveal the source of the code, not just the name of any block of code that is part of it.
Chris Hughes That’s right. You know, what we’ve been rallying around so far is an organization known as NTIA, where a lot of SBOM started within the government a few years ago, defined what they called NTIA’s minimum elements for SBOM. And they’ll give you various information like the supplier, the name of the component, you know, the source, and so on. And people can start using that to understand, you know, the origin of these components. You know, where they came from, what they’re called, who supplied them, etc., along with, you know, vulnerability information.
Tom Temin Well, then you should link it to some other source to know if the components you have identified are what you want or not. In other words, SBOM will not tell you about vulnerabilities in it.
Chris Hughes Yeah, well, you can start identifying vulnerabilities in those components. You know, looking at something like this National Vulnerability Days database. But you made a comment about whether you want components or not. And that’s kind of the complexity of the problem here if you’re consuming software from a secondary or third party, you know, product vendor, for example, and they’re not supposed to provide the SBOM of the aforementioned product. It will contain components that you basically have no right to decide whether you want them or not. They are basically integrated into the product. Now it just gives you transparency and visibility into what’s under the hood of that product, in terms of how much of the product is open source software, you know, what vulnerabilities those components have, and so on. Still, it puts you in a position that you weren’t in before, and now you can talk to the vendor to understand, you know, where they’re at in terms of, you know, remediating vulnerabilities or mitigating risk in the product or even, you know, potentially replacing a component if it’s outdated, has numerous vulnerabilities associated with it, and so on.
Tom Temin We’re talking to Chris Hughes. He is the Chief Security Advisor at Endor Labs and a Cyber Innovation Fellow at the Cybersecurity and Infrastructure Security Agency. And it sounds like SBOM analysis, if you will, and SBOM, you know, deriving information from it, is kind of a specialty field in itself.
Chris Hughes That. He’s definitely grown into it. If you look at, you know, the kind of startup ecosystem that some of the venture capital has gone into, you go to, you know, some of the biggest industry events like RSA and Blackhat. You’ll notice that there are a few companies that have kind of standardized in a niche around SBOM analysis, you know, storing SBOMs, you know, bringing them in from other sources, helping you produce, you know, visibility and reporting around components and aggregates those SBOMs , you know, to give you a kind of holistic, you know, enterprise risk management kind of perspective around those SBOMs and the associated vulnerabilities with them and the vendors that you got them from and things of that nature.
Tom Temin And these ones, well, it was called the winter bomb of aram. So I guess that means there is a spring and fall SBOM a-rama from CISA. What happens to these things? They’re online, aren’t they?
Chris Hughes Yes, they are. So this is essentially an opportunity to bring together government and private sector stakeholders on the industry side. And you have representatives from, you know, the organizations that I was talking about, like the Nix Foundation and OWASP and others that run the formats and work around the SBOM format. But you also have people from different ISACs and community groups using SBOMs for various purposes, whether it’s the financial community or the medical device community or private sector organizations, as well as representatives within government and the Department of Defense who all have an interest. essentially in software transparency, software supply chain security and using SBOM as part of that to mitigate risk. Everybody gets together, they talk about the progress that they’re making, you know, the challenges that remain tertiary, the issues around things like software identification, you know, that relate to the concept of, you know, the software supply chain from and that sort of brings together the industry, both in the public and and in the private sector, in order to cooperate on this topic.
Tom Temin There must be a Reddit group for SBOM somewhere down there.
Chris Hughes Oh, there’s almost certainly something. There are several Reddit subreddit groups of other people struggling with this challenge. You will find many talks among industry groups, conferences, industry events. And yes, it is certainly a very hot topic.
Tom Temin Are there any major software publishers reluctant to issue SBOMs because the buyer might find out that the seller didn’t actually supply any code of their own, but simply compiled a bunch of stuff out there in open source, and maybe put a nice front page on it for a welcome page. Otherwise, you know, where is the added value? Yeah, there’s a lot of people, you know, and obviously they won’t necessarily say it outright, but there’s a lot of people who say the industry resistance, or at least you know the industry resistance around SBOM, and there needs to be transparency on those facts. They’re worried that, you know, organizations are just worried that people are going to realize that they basically put together a bunch of open source and put, you know, a little bow on top, maybe custom proprietary code at some point, but mostly it’s open source components. And additionally, they might be concerned about, you know, pulling back the curtain and saying, hey, we’ve got a whole bunch of outdated, poorly maintained, and vulnerable components in this product, and we just don’t want to provide that level of transparency. You know, they don’t say it like that, but there’s a lot of suspicion that, you know, the opposition to transparency is not because of intellectual property concerns or, you know, things like that, but it’s actually, you know, pulling back the curtain and showing that, you know, you didn’t create this. or is poorly maintained and poorly secured.
Tom Temin That. If you’re old enough, you remember the big scandal with Oldsmobiles with Chevy engines in them. That was a big deal back then, I guess. It must have been the 1980s. Alright. So, at a-rama’s latest SBOMs, everything came out rocking. Are there any new findings that the industry should be aware of?
Chris Hughes Yeah, I think the biggest takeaway is what we started the conversation with, you know, previous events like this. There was a lot of education about what this problem is or why you even need to have it, or why it matters. And now the conversation has matured significantly and everybody understands why, why we should have it, what it is, what it’s for, and people are looking for innovative ways to use it in broader, you know, things like cybersecurity, supply chain risk management or governance vulnerabilities in enterprise risk management, integrating it into these programs, as well as activities such as procurement and acquisition, even mergers and acquisitions. You know, we see a lot of innovation and advancement within certain communities like the financial sector or the medical device community. We had representatives of the Ministry of Defense. They’re using it for a variety of purposes, from a resiliency perspective, as well as authorization of systems going into production and so on, because there’s a lot more maturity around not just what it is, but how to actually use it to deliver value and drive more secure outcomes.
Tom Temin And by the way, he is on SBOM a-rama with A or SBOM o Rama.
Chris Hughes I believe he has an A. Yes, I hope I’m right, but I’m almost certain, right?
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.