TAG Cyber: Dynamic SBOMs Help Secure the Software Attack Surface

A colorful, pixelated screen

Software attack surface management (SASM) provides an effective way to secure software throughout an organization’s software development life cycle (SDLC). Rezilion’s dynamic software bill of materials (Dynamic SBOM) effectively implements SASM for practical enterprise environments, according to a new report from cybersecurity research and advisory firm TAG Cyber.

The report, Implementing Software Attack Surface Management Using the Rezilion Dynamic Software Bill of Materials, notes that SASM draws some parallels with comparable attack surface management (ASM) methods used to secure enterprise networks.

TAG Cyber defines the software attack surface as the entire software ecosystem of an enterprise across its entire technology stack, including cloud workloads, hosts and applications. In order to protect against threats and vulnerabilities, the software attack surface needs to be continuously managed throughout the SDLC from development to production, it states.

The goal of SASM is to understand the attack surface; identify, prioritize, and remediate vulnerabilities; and ensure continuous coverage via automation. “The dynamic nature of the software attack surface makes it very difficult to manage,” the report says. Among challenges are the lack of a perimeter for software, a constantly changing feature set, and the growing volume of software.

As a result of digital transformation, software has become the number one attack surface, TAG Cyber says. Recent events such as the Log4j vulnerability and SolarWinds breach show the importance of protecting this growing attack surface. And the explosive growth of the software attack surface and rising number of attack vectors precipitate the need for tools that can manage and protect software ecosystems under a unified attack surface management platform, it asserts.

The Dynamic SBOM “serves as a powerful starting point for discovery and understanding of a software attack surface,” the report says. It also provides contextual information that offers enriched insight into the potential exploitability of discovered vulnerabilities in a specific environment, underlining the fact that the mere presence of a vulnerability doesn’t make it exploitable.

Because the Dynamic SBOM is continuous and updated in real time as code makes its way through the DevOps lifecycle, this insight becomes valuable to developers and security engineers during all phases of the life cycle.

Rezilion’s Dynamic SBOM platform collects relevant data about the software environment using static and dynamic miners, the report notes. Runtime and memory data from hosts, containers, and applications are then analyzed for file paths, command-line arguments, hashes, and numerical representations of memory components.

“The platform then reverse engineers the software using collected data to map its components, establish vulnerability context, generate provenance, and create the dynamic SBOM,” TAG Cyber says. “Insights are thus provided to the software and security engineering teams into runtime execution profiles and code interdependencies that help reduce vulnerability backlogs, prioritize what to fix first, and remediate more quickly.”

These capabilities would have been especially useful for organizations dealing with the Log4j and SolarWinds incidents, the firm says.

“Securing your software ecosystem  is driven by the Rezilion dynamic SBOM via identification of all software components, mapping of discovered vulnerabilities to provide context, tracking of changes in the software, and maintenance of continuous updates,” the report says. “As any software professional will attest, these capabilities provide essential risk management benefits and are rapidly becoming a priority in any software development environment.”

Read the TAG Cyber report here.

Reduce your patching efforts by
85% or more in less than 10 minutes