4 min read
In 2022 Supply Chain Security Needs to Be Top of Mind
As we begin a new year, it’s time to reflect on the strengths and weaknesses of our cybersecurity posture. Now more than ever, it’s important to...
We've crafted solutions tailored to your firm
The world of insurance for law firms can be confusing, and difficult to navigate. We've created this glossary because these common insurance terms should be easy to understand.
3 min read
LMG Security : Jun 14, 2022 12:00:00 AM
Well, it’s a good time to start preparing one. The Biden Administration recently released an Executive Order requiring federal agencies to obtain SBOMs from all vendors, and based on the recent Log4j vulnerability it’s predicted that many private companies will begin requiring SBOMs as well.
What is an SBOM?
According to the United States’ Cybersecurity and Infrastructure Security Agency (CISA), a “software bill of materials” (SBOM) has emerged as a key building block in software security and supply chain risk management. An SBOM is a nested inventory; it’s a list of ingredients that make up software programs and services. Most software programs use some open-source components and code libraries, and an SBOM should be a detailed inventory of every code library and component used so you can quickly determine if you are impacted when a vulnerability like Log4j is discovered.
Securing open-source software is now a major issue for the US government and businesses. This comes as no surprise since open-source software accounts for 70% to 90% of code in web and cloud applications. All this drives the need for SBOMs as part of a strong overall security strategy. Let’s dig into this issue and find out how you can incorporate these software inventories into your security action plan.
Growing Open-Source Software Risk
The problem isn’t software vulnerability alone; it’s also knowing exactly what components make up the software you have installed. Without an SBOM, you might not be aware of vulnerable code hiding in your applications. Take the Log4j vulnerability for example. As a widely used logging tool, Log4j is found in tens of thousands of Java software artifacts. However, due to a lack of transparency, many security professionals are unaware that Log4j is part of their software supply chain.
Most of this complexity is due to the rise of open-source software (OSS). In the Linux Foundation SBOM and Cybersecurity Readiness report, 98% of organizations surveyed use OSS. This means a plethora of new apps get built, packaged, and sold, but without an SBOM, the exact software components aren’t well defined. And if you don’t know what’s in your supply chain, how can you patch it? How can you be secure?
SBOMs Help You Quickly Remediate Risks
The threat of vulnerabilities (both known and zero-day) combined with the unknown contents of software packages has led security regulators and decision makers to push for the development of software bills of materials.
Once you have a detailed list of individual software components, you can quickly and accurately assess risk exposure. For example, you can begin to match your list against CISA’s Known Exploited Vulnerabilities Catalog. Or if you hear about an emerging mass exploit like Log4j, you can quickly check to see if your stack is at risk. If you don’t have an SBOM, you’re in the dark until you are notified by your vendor… or until you get hacked.
It’s estimated that 98% of codebases use open-source software components. Let’s dig deeper into what the Linux report found regarding organizational SBOM readiness and adoption in the third quarter of 2021 shows us. Of the total 412 organizations who participated in the survey:
As SBOMs become more readily available, you should incorporate requiring and utilizing these inventories as part of your organization’s supply chain security plan.
Production Steps & Benefits
Software and application makers should produce SBOM security lists as part of their development process. SBOM production should follow these steps:
According to the Linux report, the key benefits of producing these inventories include:
SBOM Security Benefits
For businesses that purchase and use software, the top SBOM security benefits include:
SBOM Strategies Continue to Evolve
Across all industries and sectors, SBOM readiness, production, and requirements are in the process of being operationalized, according to Linux. Also, solutions are emerging, but consensus has yet to materialize around a particular methodology, format, and tooling workflow.
For any organization, a good first step would be to begin to compile your own SBOM strategy, including requesting an SBOM from all new vendors. Meanwhile, the National Telecommunications and Information Administration provides in-depth guidelines for establishing a common software bill of materials.
This blog is distributed with the permission of LMG Security.
At LMG, our singular focus is on providing outstanding cybersecurity consulting, technical testing, training, and incident response services. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.
4 min read
As we begin a new year, it’s time to reflect on the strengths and weaknesses of our cybersecurity posture. Now more than ever, it’s important to...
3 min read
In the past year, we have seen fascinating shifts in government interest and oversight of cybersecurity. There has been a resurgence of governmental...
6 min read
The dark web has changed in the past few years. As increasing numbers of cybercriminals use the dark web for exposure extortion sites that publish...