Why CISOs need to make software bills of materials (SBOMs) a top priority in 2023

Software supply chains are soft targets for attackers looking to capitalize on the lack of transparency, visibility and security of open-source libraries they use for embedding malicious code for wide distribution. Additionally, when companies don’t know where code libraries or packages being used in their software originate from, it creates greater security and compliance risks. 

The latest Synopsys Open Source Security and Risk Analysis Report found that 97% of commercial code contains open-source code, and 81% contains at least one vulnerability. Additionally, 53% of the codebases analyzed had licensing conflicts, and 85% were at least four years out of date. 

It’s common for development teams to use libraries and packages found on GitHub and other code repositories. Software bills of materials (SBOMs) are needed to keep track of each open-source software (OSS) and library used during the devops process, including when it enters the software development life cycle (SDLC).     

Securing software supply chains 

Software development leaders need to take action and integrate SBOMs throughout their SDLC and workflows to avert the risk of Log4j and comparable infected OSS components corrupting their code and infecting their customers’ systems. Software composition analysis (SCA) and the SBOMs they create provide devops teams with the tools they need to track where open-source components are being used. One of the critical goals of adopting SBOMs is to create and keep inventories current on where and how each open-source component is being used. 

“A lack of transparency into what software organizations are buying, acquiring and deploying is the biggest obstacle in improving the security of the supply chain,” said Janet Worthington, senior analyst at Forrester, during a recent interview with VentureBeat. 

The White House Executive Order 14028 on improving the nation’s cybersecurity requires software vendors to provide an SBOM. EO 14028 concentrates on solving the lack of software supply chain visibility by mandating that the NTIA, NIST and other government agencies provide greater transparency and visibility into the purchasing and procurement process for software throughout its product lifecycle.

In addition, the executive order mandates that organizations supplying software must provide information on not only direct suppliers but also their suppliers’ suppliers, tier-2, tier-3, and tier-n suppliers. The Cybersecurity and Infrastructure Security Agency (CISA) software bill of materials resource center also provides valuable resources for CISOs getting up to speed in SBOMs. 

EO 14028 was followed on September 14 of this year with a memorandum authored by the director of the Office of Management and Budget (OMB) to the heads of executive branch departments and agencies addressing the need for enhancing the security of the federal software supply chain further than the executive order called for.

“The combination of the executive order and the memo mean SBOMs are going to be important in the not too distant future,” said Matt Rose, ReversingLabs field CISO. What’s most noteworthy about the memorandum is that it requires agencies to obtain self-attestation from software providers that their devops teams follow the secure development processes defined in NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance.

SBOMs help create trusted code at scale  

Integrating SBOMs throughout devops processes, over and above compliance with EO 14028, ensures that every downstream partner, customer, support organization and government entity receives trustworthy apps built on solid, secure code. SBOMs do more than protect code. They also protect the brands and reputations of the organizations shipping software globally, especially web-based apps and platforms. 

There’s a growing lack of trust in any code that isn’t documented, especially on the part of government procurement and purchasing organizations. The challenge for many software providers is achieving a more successful shift-left strategy when integrating SBOMs and SCA into their continuous integration/continuous delivery (CI/CD) process. Shift-left security looks to close the gaps attackers look for to inject malicious code into payloads. 

“CISOs and CIOs increasingly realize that to move fast and achieve business goals, teams need to embrace a secure devops culture. Developing an automated development pipeline allows teams to deploy frequently and confidently because security testing is embedded from the earliest stages. As the result of a security issue escaping to production, having a repeatable pipeline allows for the offending code to be rolled back without impacting other operations,” Worthington advised.

CISOs also need to become familiar with the formal definitions of SBOMs now, especially if they’re part of a software supply chain that provides applications to the federal government. Formal standards include Software Package Data Exchange (SPDX), Software ID Tag (SWID) and CycloneDX. Of these, CycloneDX is the most often used standard. These standards aim to establish a data exchange format and a common infrastructure that shares details about every software package. As a result, organizations adopting these standards find they save time in remediating and solving disconnects while increasing collaboration and the speed of getting joint projects done. 

For SBOMs, compliance is just the beginning 

EO 14028 and the follow-on memorandum are just the beginning of compliance requirements that devops teams and their organizations must comply with to be part of the federal government’s software supply chain. SBOM requirements from the Federal Energy Regulatory Commission (FERC), Food and Drug Administration (FDA), and the European Union Agency for Cybersecurity (ENISA) are also now requiring SBOM visibility and traceability as a prerequisite for doing business. With SBOMs becoming core to how U.S. and European governments define whom and how they will do business with, CISOs need to make this area a priority in 2023.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.