Software supply chains and security - will the Software Bill of Materials approach work?

Software supply chains and security - will the Software Bill of Materials approach work?

Image:
Software supply chains and security - will the Software Bill of Materials approach work?

SBOMs are now law in the US, but it will be a challenge to make them work

Over the past year, software supply chain attacks have affected public sector and private enterprises alike. As services have moved to digital and more complex deployments have been rolled out, the likelihood of flaws existing in those software supply chains has increased. So how should we react to this?

The US government provides one example. It published an Executive Order on cybersecurity that will enforce secure software development processes. As part of this, all federal organisations will require their suppliers to give them a Software Bill of Materials (SBOM) for their IT projects, listing all the components involved. Based on the guidance from the US National Telecommunications and Information Administration, using these SBOMs will provide a complete list of all the software in place across the organisation, which can then be used to prevent potential threats in the future.

This approach is aimed at preventing vulnerable components making their way into federal IT implementations, as well as helping those security teams plan ahead when a new issue is discovered. By providing a complete picture across internal and external IT projects, teams can prevent issues leading to breaches over time and have better insight into their software supply chains.

What can the UK government learn from this, and can other enterprises adopt something similar?

Will the SBOM approach work?

In theory, SBOMs makes a lot of sense. Gaining more visibility into the software supply chain can only be a good thing, but making this work in practice will involve creating a solid workflow that can keep up with all the changes taking place within IT vendors' products as well as in internal IT assets

To get this right, there are some lessons that can be learned from the IT asset management (ITAM) projects that most public sector organisations have in place. ITAM describes how organisations track hardware assets, software products and licenses. An up-to-date asset inventory provides an accurate picture of all the software installed across an organisation. Based on this, you can keep track of your assets and flag any potential problems or software vulnerabilities for updates as they arise.

But ITAM is a challenge to implement correctly and even harder to maintain. With so many software assets and multiple platforms in place, changes occur all the time. After Covid-19 - when IT teams had to scramble to provide more endpoint assets for people to work from home, or when users simply took their corporate devices home - this has become even more difficult, as so many assets are now outside of the office, in the cloud or absent from official managed lists.

For many companies and public sector bodies, ITAM gets moved into the ‘too hard' pile

For many companies and public sector bodies, ITAM gets moved into the ‘too hard' pile because it is difficult to maintain an accurate list of assets and software. However, without that accurate list of assets, it is impossible to have an idea of your potential vulnerabilities. For SBOMs, getting over this hurdle will be essential if it is to deliver on that promise of value.

To make SBOMs work effectively, senior level support will be needed. The fact that the US government has mandated SBOMs will help here, as all vendors will have to put these together in a timely manner. Any time that a component in a product or service gets updated, a new SBOM will be needed.

For the vendor, automating this process should help them deliver this information efficiently to all those that need it. For the internal team, tracking all the products and software projects in place will be more challenging. The NTIA suggests that this will be automated in future, which should make the process easier. For other companies and public sector organisations looking on, this automation process should be something that they can learn from or adopt as well.

Combining established ITAM, vulnerability management and software supply chain management processes will provide that fuller picture of what is in place at the organisation. Using this data over time, IT teams will be able to prioritise what they have to update, see what they have to mitigate, and put more effective pressure on suppliers to fix issues in their software as well.

The future for SBOMs

The Biden government's Executive Order and the NTIA Minimum Standards document combine to inform everyone involved in software supply chains of their roles and responsibilities in improving security. This can provide a blueprint for governments around the world to follow. However, there are lessons to learn from existing processes for tracking IT assets too. The UK, in particular, is relatively advanced in IT process management thanks to the adoption of ITIL in the past - but not all IT teams use this framework.

Using SBOMs to track updates should help IT teams track how suppliers update their software products and this prevent problems at an early stage. However, unless they can depend upon suppliers providing data in a timely fashion, it will be hard to prioritise or apply pressure where it's needed; without a combination of internal and external data sources, it is difficult to keep this information in context; and without executive level support, it will be hard to keep these programmes running and providing value.

There are many elements to get right, but by doing so SBOMs should help keep public services more secure.

Matthew Middleton-Leal is vice president EMEA at Qualys