Why CISOs need to make software inventory (SBOM) a top priority in 2023

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Look now.

Software supply chains are soft targets for attackers looking to exploit the lack of transparency, visibility and security of open source libraries they use to embed malicious code for wide distribution. Additionally, when companies don’t know where code libraries or packages used in their software come from, it creates greater security and compliance risks.

The latest Synopsys Open Source Security and Risk Analysis Report found that 97% of commercial code contains open source code, and 81% contains at least one vulnerability. Additionally, 53% of the codebases analyzed had license conflicts, and 85% were at least four years out of date.

It is common for development teams to use libraries and packages found on GitHub and other code repositories. Software BOMs (SBOMs) are necessary to keep track of each open source software (OSS) and library used during the devops process, including as it enters the software development lifecycle (SDLC).

Securing software supply chains

Software development managers must take action and integrate SBOMs through the SDLC and workflow to avoid the risk of Log4j and comparable infected OSS components corrupting their code and infecting customers’ systems. Software composition analysis (SCA) and the SBOMs they create give devops teams the tools they need to track where open source components are used. One of the critical goals of adopting SBOMs is to create and maintain inventory of where and how each open source component is used.


Intelligent Security Summit

Learn the critical role of AI and ML in cybersecurity and industry-specific case studies on December 8. Sign up for your free pass today.

Register now

“Lack of transparency in what software organizations buy, procure and deploy is the biggest obstacle to improving supply chain security,” said Janet Worthington, senior analyst at Forrester, during a recent interview with VentureBeat.

The White House Executive Order 14028 on improving the nation’s cybersecurity requires software vendors to provide an SBOM. EO 14028 focuses on addressing the lack of software supply chain visibility by requiring NTIA, NIST, and other government agencies to provide greater transparency and visibility into the software procurement and acquisition process throughout the product lifecycle.

In addition, the ruling mandates that organizations that supply software must provide information about not only direct suppliers, but also their suppliers’ suppliers, tier-2, tier-3 and tier-n suppliers. The Cybersecurity and Infrastructure Security Agency (CISA) Software Center Resource Center also provides valuable resources for CISOs to get up to speed on SBOMs.

EO 14028 was followed on September 14 of this year by a memorandum authored by the Director of the Office of Management and Budget (OMB) to the heads of executive departments and agencies addressing the need to further improve the security of the federal software supply chain than the executive order called for.

“The combination of the executive order and the memo means that SBOMs are going to be important in the not-too-distant future,” said Matt Rose, ReversingLab’s field CISO. Most notable about the memorandum is that it requires agencies to obtain self-certification from software vendors that their devops teams follow the secure development processes defined in the NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance.

Source: McKinsey and Company, Software list: Managing software cybersecurity risks, September 2022.

SBOMs help create reliable code at scale

Integrating SBOMs through devops processes, beyond compliance with EO 14028, ensures that all downstream partners, customers, support organizations, and government entities receive trusted apps built on solid, secure code. SBOMs do more than protect code. They also protect the brands and reputations of the organizations that ship software globally, especially web-based apps and platforms.

There is a growing lack of confidence in any code that is not documented, especially from government procurement and procurement organizations. The challenge for many software vendors is achieving a more successful shift-left strategy when integrating SBOMs and SCAs into their continuous integration/continuous delivery (CI/CD) process. Shift-left security appears to close the holes attackers look for to inject malicious code into payloads.

“CISOs and CIOs are increasingly realizing that to move quickly and achieve business goals, teams must embrace a secure devops culture. By developing an automated development pipeline, teams can deploy frequently and confidently because security testing is built in from the earliest stages. As a result of a security issue escaping into production, having a repeatable pipeline allows the offending code to be rolled back without affecting other operations,” Worthington said.

Source: McKinsey and Company.

CISOs also need to become familiar with the formal definitions of SBOMs now, especially if they are part of a software supply chain that delivers applications to the federal government. Formal standards include Software Package Data Exchange (SPDX), Software ID Tag (SWID), and CycloneDX. Of these, CycloneDX is the most widely used standard. These standards aim to establish a data exchange format and a common infrastructure that shares details about each software package. As a result, organizations that adopt these standards find that they save time remediating and resolving disruptions while increasing collaboration and the speed of getting joint projects done.

For SBOMs, compliance is just the beginning

EO 14028 and the accompanying memorandum are just the beginning of compliance requirements that devoper teams and their organizations must adhere to in order to be part of the federal government’s software supply chain. SBOM requirements from the Federal Energy Regulatory Commission (FERC), the Food and Drug Administration (FDA), and the European Union Agency for Cybersecurity (ENISA) now also require SBOM visibility and traceability as a prerequisite for doing business. As SBOMs become core to how US and European governments define who and how they want to do business with, CISOs must make this area a priority in 2023.

VentureBeat’s mission will be a digital town square for technical decision makers to gain knowledge about transformative business technology and transactions. Discover our orientations.

Leave a Reply

Your email address will not be published. Required fields are marked *