How SBOMs Can Eventually Help to Secure Government’s Software Supply Chain

monsitj/Getty Images

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By John Breeden II

By John Breeden II

|

No agency has yet to require them in any major way.

We first heard about the term SBOM, or software bill of materials, back in May of 2021 when President Joe Biden issued an executive order that will, eventually, require software vendors working with the federal government to deliver an SBOM along with all of their software products. Since then, the Department of Commerce has helped to define what would need to be included within an SBOM. And agencies, which were given a wide amount of freedom to decide when and how to begin requiring them, have started to research how they would work.

The idea behind an SBOM is an interesting one, but over the past two years since the executive order mandated them, no agency has begun requiring them in any major way. Many vendors are cool to the idea, and there also seems to be a lack of understanding about why they are needed, how to create them and what an SBOM could really do to secure the software supply chain.

The somewhat confusing factors surrounding SBOMs made for a perfect backdrop for a video webinar I was recently asked to moderate on this topic. The webinar was hosted by FedInsider and featured some of the top experts in this field working in industry and government, including those who are actively defining SBOM standards or trying to implement them at their agencies. I learned a lot during my time with those experts and wanted to share some of that knowledge to try and dispel much of the ongoing confusion about what could eventually become a very useful tool government could use to protect its software supply chain.

Why are SBOMs needed today?

Bob Martin, the senior principal software and supply chain assurance engineer with MITRE, has been studying this issue for decades. According to Martin, the nature of creating software has changed over the past two decades to the point where something like an SBOM is needed in order for an agency to know what it is really getting when it acquires new software.

“In the past, we have this image of someone sitting down with a literal blank sheet of paper and writing a program from scratch,” he said. But today, “No one writes the majority of the code. They use other people's components and frameworks, and they assemble them together to do most of the work that an application needs to do, adding in the specifics of what they are trying to accomplish. Today that is the norm because each of us who make modules are doing basically the same thing.”

So, according to Martin, if an agency obtained a module or a program from a vendor in the past, then it could be fairly confident that a single programmer or a small team wrote all of the code that made it up. But today, lead programmers may borrow code from any number of libraries, frameworks and code repositories—because there is no need to reinvent the wheel every time a module is created. Instead, most basic software functions are created from reused, previous code, with only the final bit of unique functionality added by a programmer.

Problems can then happen if a vulnerability is later discovered in some of those libraries or frameworks that make up a component of the millions of programs and modules being used by government. Without SBOMs for active programs, agencies have no quick way of knowing if they are affected by newly discovered vulnerabilities, because they don’t know what went into the code and software that they are using.

What is an SBOM?

Although papers have been written about proper SBOM components, there is still a lot of confusion about what they really are. To help with this, Sam Kinch, the director of technical account management with Tanium Federal came up with a clever way to think about them.

“I like to think of SBOMs like an ingredients list on the side of a food package,” Kinch said during the webinar. “With most packaged foods, you will get a list of ingredients that the company used to create that food, and in the same way you can think of SBOMs as an ingredients list on the side—or as part of—a software package that you receive. It provides you with details about what the components are that the developer used to create a software package.”

Thinking of an SBOM like the ingredients list for packaged food is a great way to help visualize the concept, but Kinch notes that there is one important difference. Unlike a package of macaroni and cheese, which remains the same until someone boils and eats it, an SBOM for software can change over time, even after the software has been delivered to an agency.

“If you perform an update or a patch on software, then that can change the SBOM because new elements could be added,” Kinch said. In the same way, an SBOM could also change based on what platform a piece of software is installed on or how it is used. Because of this, agencies don’t just need to require SBOMs from software vendors, but also need to keep them active and updated as that software gets used throughout an agency.

How can SBOMs be used in government?

Once SBOMs are established, federal guests talked about three scenarios where their use would be extremely helpful. First off, they would be good to have during a crisis, such as when the Log4j vulnerability was uncovered.

“Instead of having to do all that ‘boots on the ground’ work when the next Log4j happens, you could instead have a database or provenance repository of SBOMs to turn to,” said Supply Chain Lead with the Department of Education Jason Mullins. “I could simply search that and see where I'm affected, where did my bad ingredients come from and where did they end up, and where this bit of software is connected to my systems. Then I can start acting on that right way.”

Pat Sullivan, senior advisor to the director of supply chain management with Army Materiel Command, added that not only will SBOMs help during a crisis, but also for the day-to-day monitoring of networks as a key component to cybersecurity. 

“It’s a valuable tool to help not only at the point of crisis but also as we work every day to detect and deny identified malicious intent,” Sullivan said. “It’s interesting that we are having this discussion now because, as recently as October, our deputy secretary for acquisitions shared that the Army is going headfirst into SBOMs, so while composition analysis has been going on for years, it’s time now to take the next step.”

Having SBOMs might even bring more security to the software acquisition process, something that is growing increasingly complicated for many agencies.

“SBOMs are definitely something that can help you in the acquisition process to make sure that the software you are getting is not different from the one proposed or demonstrated to you,” said Justin Murphy, a vulnerability disclosure analyst with the Cybersecurity and Infrastructure Security Agency. “If you have SBOMs for everything on every device in your enterprise, then you are going to have a much finer grain detail than we do today.”

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

NEXT STORY: Pentagon to Release New Cyber Workforce Strategy 'Any Day Now'

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.