The wheels are in motion to address issues with software supply chain security. There is now no regulation, no reporting, and no oversight. Software developers won’t need much convincing that it’s time. The high-profile supply chain cyberattacks that occurred in 2020 and 2021 are evidence that visibility into vulnerabilities upstream is essential. However, businesses, organizations and government agencies typically don’t have that visibility. President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity aims to change that with several measures, including that developers provide a software bill of materials (SBOM), either directly to users or publicly on a website.
What is an SBOM?
Nikhil Gupta, Co-Founder and CEO of ArmorCode and co-author of The Purple Book, explains that a software bill of materials is similar to the ingredients in a recipe. Taking that analogy further, when you enjoy a meal at a restaurant, you can be confident that the ingredients the chef used are safe and meet The Food and Drug Administration (FDA) standards. Moreover, if an ingredient is discovered to be harmful, it’s recalled to keep people safe.
Similarly, a software bill of materials will give users greater confidence that the application they’re using is safe. It tells all the components that went into creating an application – and, if a security vulnerability or malicious code is discovered, an agency providing oversight can notify users so that they can take preventive action – or begin remediation.
The concept isn’t new. Software developers who work with enterprises have probably had requests during security reviews for information on the version of a language or open-source components you used to build it. However, some developers are getting their first introduction to SBOMs and incentives that appear to be more stick than carrot with proposed regulations that would include fines for noncompliance.
Software Bill of Materials Challenges to Overcome
Yes, there are hurdles that the industry and oversight agencies will have to overcome before SBOM policies are finalized. The first is how to create them. In the past, most software was monolithic, developed using waterfall methodology, and released infrequently. Today, however, more developers are creating applications with microservices architecture and agile development – and leveraging multiple languages and open source elements. And new releases can occur weekly or more often.
“There are a lot of developers who need to be educated on best practices and need access to software tools that can generate SBOMs automatically,” Gupta says. “Some tools exist, but there is room for improvement.” He adds the best solutions will not only list all of the components of a solution but also enable companies to sift through that information quickly.
Another challenge is meeting requirements to provide software bills of material but still protect your intellectual property (IP) and trade secrets.
“Some developers may not want to share SBOMs publicly for two main reasons. First, it would make it easier for competitors to reverse engineer their solutions. Second, if a developer publishes their SBOM publicly, it is like putting a target on their backs. Hackers will know what they use and can attack them more easily,” Gupta explains. He stresses, however, that developers need to recognize that transparency translates to trust.
“There has to be a middle ground, such as providing SBOMs on a contractual or as-needed basis,” he says, adding that this issue will take some time to hash out.
Reasons You Should Get Involved
The key takeaway for developers is your future will include complying with software bill of materials mandates. They will impact your business and, possibly, where you can sell your applications.
But also keep your eye on the goal of enhancing security and protecting users from supply chain attacks. Gupta points out that the industry’s current approach to security isn’t adequate to protect users, their data and infrastructure. Moreover, only modest progress has been made to bring DevSecOps teams together successfully.
Gupta encourages developers to join him and other industry leaders to create a workable plan and standards for software bills of materials.
Check out the NTIA Formats & Tooling Workgroup for more information and to learn more about the progress that they’ve already made.
“SBOMs are here to stay,” Gupta says. “Take this head-on. Whoever embraces this development will be a gamechanger. Those who don’t will be left behind.”