3 Ways a Dynamic SBOM Enhances Security
In a previous post, we described why a software bill of materials (SBOM) needs to be dynamic in order to be valuable for organizations. One of the biggest sources of that value is the enhanced security that dynamic SBOMs can deliver for organizations
An SBOM creates a foundational data layer on which further security tools, policies and practices can be built. The U.S. Cybersecurity & Infrastructure Security Agency (CISA), a part of the Department of Homeland Security that leads national efforts to understand, manage, and reduce risk to the cyber and physical infrastructure, has stated that SBOMs have emerged as a key building block in software security and software supply chain risk management.
How a Dynamic SBOM Leads to Better Software Security
SBOMs Build Security In at the Outset of Development
The benefits of SBOMs from a security standpoint start at the beginning of the software development lifecycle (SDLC). Software developers rely on open source and third-party components to create products, and SBOMs enable them to ensure that these components are up to date and free of vulnerabilities.
Development teams are increasingly being encouraged to incorporate security elements into the development process through efforts such as DevSecOps. One of the ways they can do this is by referring to SBOMs for possible vulnerabilities, considering the context of these flaws and then fixing them before the development process can move ahead.
The benefit of this approach is that it does not leave security to the end, but rather ensures that product security isn’t sacrificed over speed of development. Building security into the development lifecycle through initiatives such as DevSecOps has never been more important, and integrating SBOMs into the lifecycle and producing them automatically at various stages of development will become the standard going forward.
SBOMs help with Vulnerability Management
Because SBOMs are formal records that contain the details and supply chain relationships of various components used to build software, they offer comprehensive histories of the software that can help teams identify potentially risky components or sources. They can be extremely effective for addressing software vulnerabilities that cyber criminals can leverage to launch attacks.
Many software providers do not know what vulnerabilities exist in their software and which can be exploitable. This was made clear with the recent discovery related to Log4j. One can only hope such vulnerabilities are discovered by security researchers or penetration testers who will quickly report the flaw to the software producer, rather than cyber criminals who will exploit the vulnerability for malicious purposes.
Because vulnerability discovery is happening all the time, it’s nearly impossible to know all vulnerabilities in an environment at any given time. This is why building security into the software development lifecycle is so vital. But in the event that vulnerabilities are discovered, SBOMs provide a way to document security flaws and fixes.
SBOMs Lead to Stronger Security Posture
The broader use of SBOMs, and especially dynamic SBOMs, can have the result of improving the overall security of software products in the market—something that’s vital for the digital economy.
Linux Foundation Research conducted a survey of 412 organizations worldwide in 2021, and found that a majority (78%) expected to create or use SBOMs that year. That was up from 66% the previous year, according to the research arm of the Linux Foundation, a nonprofit organization that provides open source products.
Many organizations concerned about application security were making SBOM a cornerstone of their cybersecurity strategies, according to the Linux Foundation report. The research also found that 82% of the respondents were familiar with SBOMs, about three quarters were actively engaged in addressing SBOM needs and nearly half were producing or consuming SBOMs.
The study said one of the top benefits of SBOMs was that they made it easier for developers to understand dependencies across components in an application, and easier to monitor components for vulnerabilities.
The widespread adoption of SBOMs clearly has the potential to strengthen the security of software products, which is good news for producers and users of these products.