How the SBOM Executive Order Helps Improve Cybersecurity

In the wake of major cyberattacks, such as December 2021’s Log4Shell, Congress and federal agencies have ramped up requirements for transparency in software supply chains. Software vendors are facing new requirements, including providing a software bill of materials, or SBOM, which can help improve cybersecurity measures.

What is an SBOM?

Simply put, a Software Bill of Materials (SBOM) is a list of components that comprise the software. Much like a box of cereal lists its ingredients, software vendors must do the same: the SBOM lists all the open-source software, commercial libraries, and third-party libraries that an application uses. 

Since ~80% of new application code comes from open source, it's essential to maintain an inventory of those libraries to respond immediately the next time a component is found vulnerable.

What are the SBOM standards?

SBOMs generally come in one of two widely accepted standards: CycloneDX and SPDX. CycloneDX comes from the Open Web Application Security Project® (OWASP) Foundation, and SPDX comes from the Linux Foundation. Both are open-source projects with communities of developers and supporters. While there are differences in the formats and the capabilities of each, both formats satisfy SBOM requirements. 

Why do SBOMs matter for cybersecurity?

SBOMs have been around as a concept for years. However, the recent Log4Shell cyberattack forced enterprises to dedicate more time and attention to understanding their ingredients. In the Log4Shell event, Log4j — a widely-used logging application used by over 12 million Java developers — contained an exploitable vulnerability susceptible to remote code execution (RCE). RCE basically means that an attacker can make a victim execute their code at will. It’s a very damaging capability.

Organizations were left scrambling to determine if any of their internal applications utilized an affected version of Log4j and whether any of their vendors did. In the case of vendor exposure, the only solution was often to call or email suppliers one by one, which took weeks. In the wake of this serious, messy, time-consuming, and manual task, more and more organizations are turning to SBOMs to understand their third-party software supply chains and help prevent (at a minimum contain) future cyberattacks.

What is the SBOM requirement?

Recently, several pieces of SBOM legislation have been adopted. In May 2021, Executive Order 14028 set requirements for federal agencies to begin requiring SBOMs from their vendors. The FDA has issued draft guidance for medical device manufacturers suggesting that SBOM requirements are not far off. Most recently, H.R. 7900 - National Defense Authorization Act for Fiscal Year 2023 stipulates that the Department of Defense (DoD) and Department of Energy (DoE) will begin requiring SBOMs for new and existing contracts.

How do you generate an SBOM?

There are proprietary and open-source tools available for SBOM generation, and lists of tools abound. OWASP, which supports the CycloneDX standard, maintains a Tool Center that lists SBOM generation tooling. Different software languages and ecosystems may require different sets of tools, and large enterprises usually have many applications, some of which use legacy technology that can make SBOM generation difficult.

A recent innovation is automatic SBOM generation. Historically, developers have had to run a job to generate an SBOM manually, but new companies and tools are building SBOM generation into software development pipelines (often referred to as Continuous Integration/Continuous Deployment, or CI/CD, pipelines) so that new SBOMs are generated from every new build. This eliminates the need for the manual SBOM generation effort but can result in hundreds of SBOMs per application, which requires new tooling to manage.

What do you do with SBOMs once you’ve generated them?

SBOMs are a nascent and rapidly growing field. Because so few enterprises generated or required them until very recently, the question of how to make them useful has been largely theoretical. 

Now that they’re on the verge of being required by so many industries and enterprises, SBOM components must be “matched” to vulnerabilities in vulnerability databases, such as the National Vulnerability Database. This can be challenging, as some components don’t include a unique identifier for a perfect match — an issue that several federal entities, foundations, and private sector companies seek to address.

Once SBOM components are matched to vulnerabilities, the next step is to patch and remediate the vulnerabilities. It’s reasonable to expect that SBOM consumption tools will have integrations with Security Information and Event Management (SIEM) tools, such as Splunk, which will generate tickets for developers and security professionals to address issues. 

Lastly, those organizations generating SBOMs will likely need a way to share their SBOMs with customers securely. This, too, is an emerging field, with no clear consensus yet on how to best proliferate SBOMs across enterprises.

Who will request SBOMs?

One benefit of the new emphasis on SBOMs is that it allows consumers of software (virtually every enterprise) to solicit SBOMs from software vendors as part of vendor due diligence. Much like enterprises ask for SOC 2 certifications and vendor security questionnaires, SBOMs will become a standard request before new tools are bought and deployed.

Enterprises in healthcare, finance, manufacturing, and defense are already instituting this as a requirement or alerting their vendors that the requirement is coming shortly. By taking these measures, everyone can help ensure better cybersecurity protection for all enterprises.

Bond. James Bond would totally share this article with all his besties, and so should you!

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD