Software Bill of Materials(SBOM)-Part 1

Understanding the broken links in the software supply chain

What is SBOM?

Think of a Software Bill of Materials (SBOM) as a shopping list for computer programs. It lists all the things a program is made of, helping to keep it safe and reliable. A Software Bill of Materials (SBOM) is a list that shows what’s inside a computer program, like ingredients in a recipe. It helps keep the program safe by making sure all its parts are known and secure. SBOMs are becoming more important as they help protect against cyber threats and ensure software is trustworthy.

BOOM + BOOM + BOOM ===> SBOM

Why do we need one?

You need an SBOM to ensure the security and integrity of your software. It provides transparency into the components and dependencies of a program, helping you identify and manage vulnerabilities, comply with regulations, track the software supply chain, and efficiently address updates, ultimately reducing the risk of security breaches and supply chain attacks.

In December 2021, a critical vulnerability was discovered in the widely used Apache Log4j 2 library, known as CVE-2021–44228. This library is utilized in countless software applications to handle logging, and the vulnerability poses a severe security threat.

Here’s why an SBOM would have been crucial in this situation:

  1. Rapid Identification of Affected Software: An SBOM would have provided a comprehensive list of all software applications using Log4j. This knowledge would have enabled organizations to quickly identify which of their applications were vulnerable.
  2. Efficient Patch Management: With an SBOM, organizations could have promptly determined the versions of Log4j in their software stack and determined which systems required patching. This efficiency is vital in critical situations like the Log4j vulnerability.
  3. Supply Chain Integrity: An SBOM would have tracked the source of the Log4j library used in each application. This could have helped organizations ensure the authenticity and integrity of the library, preventing potential supply chain attacks.
  4. Compliance Assurance: Many organizations are bound by industry regulations that require them to manage and disclose vulnerabilities…

--

--

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.