Where to next for the SBOM?

Posted in
Placeholder

It is important to keep a sense of perspective when considering the impact of software, particularly open source software, on the question of supply chain integrity. In some industries, the practice of breaking down and analyzing the software supply chain has been applied more or less rigorously according to certain standards for many years prior to the Biden Administration’s Cybersecurity Executive Order released in 2021. In the automotive industry for example, vehicle manufacturers have been consistently requesting SBOMs and representations around the use of OSS from their suppliers and NHTSA has been active over the last decade in formalizing guidelines to support those efforts. 

In line with a policy of focusing on software for critical systems, some agencies notably DHS, DoD and NASA have already issued recommendations for new regulations. The FDA has gone one step further and has already implemented far-reaching rules for suppliers of medical devices applicable as from October 2023 (the issue of legacy products already in operation is yet to be addressed). Similar proposals have been submitted in the European Union, where the EU Cyber Resilience Act has already received much publicity.

Not surprisingly though, the spotlight has fallen on the integration of software applications into safety critical operations or products (healthcare, transportation) and on systems handling sensitive data such as financial information. The MOVEit vulnerability exploit proved again that the cybersecurity landscape is evolving so rapidly that even in industries where there is a high degree of awareness and collaboration around OSS and its use in the software supply chain, the hammer can fall at any moment and in any corner of your software system architecture, OSS or not. In the case of MOVEit the attack hit the commercially licensed managed file transfer service typically, but by no means exclusively, utilized by banks and financial organizations. The means adopted (SQL command) and the host environment (public internet servers) seems to have made this attack particularly worrying for the cybersecurity industry.

The notion of the ‘weakest link’ has never been more to the forefront and that weakest link could be anywhere, including behind your own firewall. Some regulators, notably those in the EU responsible for the Cyber Resilience Act, are taking a broad swipe at the OSS industry, consciously or not. The maintainers of OSS projects across the globe will be feeling the heat and many according to some experts are already at breaking point. The question raised is an important one: to what extent will heavy-handed regulation risk throwing the OSS baby out with the bathwater.  

The public sector regulators are under heavy pressure to pick up the pace across the entire spectrum of government procurement and this is likely to catch many commercial enterprises off guard. 

Federal News Network released a video recently with the caption “why the SBOM is just the beginning of software supply chain cybersecurity”. The Federal News Network is a provider of news for Federal agencies, policy makers and contractors citing a subscriber base of nearly 900.  The video is available on the Federal Insights page (under Resources) of the Federal News Network website. Given the growing importance of this topic and the amount of press coverage surrounding the Cybersecurity Executive Order, the viewing figures are surprisingly low. 

One thing emphasized in this video is the complexity of the supply chain itself (third parties hosting systems and services on your behalf, contractors providing services on your behalf), not to mention the now ubiquitous use of OSS in both customized application development and commercially available software products.  It is this complexity coupled with the nature of software stacks, their APIs, and the way signals and commands run between them as well as between them and the infrastructure they are part of that together makes up what some refer to as a Zero-Trust environment. The SBOM is a good start in providing needed transparency for the supply chain but Zero-Trust practitioners will tell you that without constant monitoring of software applications during runtime, only the tip of the iceberg may be visible. An SBOM however complete at the time of creation is not in and of itself the answer. 

In addition, the SBOM must be actionable. There needs to be a continuing dialogue, open sharing at all levels of the chain and enough transparency, capability and process to know how the various organizations in the chain should respond when the next cyber attack shows up. And even after all that, there will remain a residual risk.  

Just like OSS itself, the SBOM is not going to go away. The tools and processes supporting the creation, analysis and maintenance of SBOMs are becoming more sophisticated and will continue to do so. Standard specifications and use of metadata are critical components of the burgeoning automation industry facilitating the process of software scanning and SBOM creation.  All of this will be driven primarily by the ever-present cybersecurity risk but the license compliance risk is also set to take on a new set of complexities with the advent of commercially available AI generative large language models (LLM). For more insights on this topic, see our article Muddy Waters -Where Does AI sit in the Paradigm of Open/Closed Software?

With the recent proliferation of generative large language learning models, provenance and licensing of data and content is becoming just as critical a concern as the provenance and licensing of the software code itself. And it’s a massive task due to the sheer quantity and variety of data being used for training and fine tuning these models. Tracing the creators of public data sets and the sources of the data itself will be a part of this, as will techniques and tools for a pragmatic analysis of the risk profile in those cases where the available provenance and licensing information is uncertain or ambiguous. 

As generative AI software drives its hooks into an increasing array of publicly available materials and privately managed databases, the potential for content misuse, unintended data exposure and exploitative actions will pose increasing challenges across all market sectors and for all public and private enterprises. 

Your mOSS team

Leave a Reply

Your email address will not be published. Required fields are marked *