Streamlining Software Bill of Materials Creation and Maintenance
The Biden administration recently passed an Executive Order in the wake of another string of costly and embarrassing cyber attacks. Executive Order 14028 Improving the Nation’s Cybersecurity includes many new initiatives designed to share cybersecurity intelligence, modernize federal infrastructure, and improve the traceability and integrity of applications that store and process vital information. The last provision, laid out in Sec. 4 Enhancing Software Supply Chain Security, focuses on companies’ need to create a software bill of materials (SBOM) for their applications.
An SBOM is like any other bill of materials or packing list. It includes all components of an application, versions, and important information related to vulnerabilities and licensing for third-party components. On the surface, this sounds like common sense and might lead you to wonder why it took an Executive Order to force companies to act. In short, even common sense practices are difficult to do at the scale and complexity of modern applications. Applications are often patchworks of third-party components stitched together with custom code that is being worked on by dozens, if not hundreds of developers from all over the world. Without the right tools, it can be challenging to create and maintain an SBOM that meets the five key principles of an effective SBOM:
- Comprehensive – A SBOM should contain a list of every component within an application. This includes every third-party component with version and license information and commit or version control information for any custom code deployed through code management tools. Creating this for every application in use would be a significant effort and likely require several teams to dedicate themselves full time.
- Updated – Creating an SBOM is only the first step. It has to be maintained and updated every time a change is made to any application component. This includes code updates, vulnerability patches, new features, and any other modifications . These changes can happen at any time by any number of teams, and they need to be tracked in real-time for the SBOM to be effective.
- Auditable – The information in an SBOM can’t be a best guess or based on insider knowledge. Every version number, vulnerability, and license must be from a reputable source and be verifiable by a third party. It’s imperative to maintain information integrity whenever an update is made to the SBOM.
- Enforceable – If it’s not in the SBOM, it shouldn’t be running in production. Any discrepancies could be early signs that the application is compromised. The SBOM should be linked to an automated process or tool for verifying the provenance of every component and alert the appropriate teams if an unauthorized file or change is detected.
- Actionable – Reviewing an SBOM should give you a clear picture of the current state of your applications and insight into what’s required to secure them properly. In addition to all of the files and components that exist, it should also show you what’s loaded and in use, along with any issues that require immediate attention. These issues range from licenses being misused to critical vulnerabilities that require immediate attention. It’s not enough to compile all of this information; it has to be used to improve cybersecurity.
Creating and maintaining an SBOM that meets the above criteria can be an extremely daunting task without the right tools. Some tools generate a bill of materials for open source software but neglect custom-developed code; others may neglect the underlying application infrastructure entirely. Rezilion Validate creates a dynamic SBOM automatically and updates it every time code is pushed. This bill of materials is based on our patented reverse engineering technology, called Workload Composition Analysis, which allows us to see exactly what comprises an application, what’s running in memory, and where each component came from. It’s the only full-stack, dynamic SBOM that meets all of the criteria above and doesn’t require any tuning or manual intervention to create and maintain. Click here for a demo of Validate to see how it can help you comply with Executive Order 14028 and so much more.