Difference between revisions of "SBOM"
From MgmtWiki
(→Context) |
(→Other Material) |
||
| (12 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==Context== | ==Context== | ||
| − | * While the term [[SBOM]] is not new, it received | + | * While the term [[SBOM]] is not new, it received limited attention until the publication of the [[Executive Order on Cybersecurity]] on 2021-05-12. |
* Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk. | * Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk. | ||
* [https://www.ntia.gov/files/ntia/publications/sbom_faq_-_20201116.pdf SBOM FAQ] 2020-11-16 | * [https://www.ntia.gov/files/ntia/publications/sbom_faq_-_20201116.pdf SBOM FAQ] 2020-11-16 | ||
| Line 9: | Line 9: | ||
===SBOM Formats and Standards=== | ===SBOM Formats and Standards=== | ||
* [https://www.ntia.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf The NTIA Software Transparency Working Group on Standards and Formats was formed at the outset of the NTIA initiative in 2018 to assess available current formats for software bills of materials as well as forward-looking use-cases identified by other working groups or communities of practice] identified three formats in widespread use: | * [https://www.ntia.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf The NTIA Software Transparency Working Group on Standards and Formats was formed at the outset of the NTIA initiative in 2018 to assess available current formats for software bills of materials as well as forward-looking use-cases identified by other working groups or communities of practice] identified three formats in widespread use: | ||
| − | # Software Package Data Exchange ( | + | # Software Package Data Exchange ([https://spdx.github.io/spdx-spec/ SPDX]), an open-source machine-readable format with origins in Linux Foundation and recently approved as ISO/IEC standard. |
| − | # CycloneDX (CDX), an open source machine-readable format with origins in the OWASP community | + | # CycloneDX ([https://cyclonedx.org/docs/1.2/ CDX]), an open-source machine-readable format with origins in the OWASP community |
| − | # Software Identification (SWID) an ISO/IEC industry standard used by various commercial software publishers | + | # Software Identification ([https://www.iso.org/standard/65666.html SWID]) an ISO/IEC industry standard used by various commercial software publishers |
| + | * Identify Software Identifiers in Commercial Use and Emerging Identifiers | ||
| + | # Common Package Enumeration - [https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe CPE] | ||
| + | # Package URLs - [https://github.com/package-url/purl-spec PURL] | ||
| + | # Software ID tags - [https://csrc.nist.gov/projects/Software-Identification-SWID SWID tag] | ||
| + | # Software Heritage persistent ID - [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html SWHID] | ||
| + | * [https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_energy_brief_2021.pdf NTIA SBOM: Formats and Tooling] PDF slide show | ||
==Problems== | ==Problems== | ||
It is not clear who will be responsible for defining a SBOM. Here is one current problem in 2021. There is a open source product did:orb that includes a make file that depends on GCC (the Gnu Compiler). Now the problem is that there is no way to build the code without these tools. I am unclear how it could be possible to know if the tools provided any contribution the the finished products if it is required to build the product. So, is the GCC part of the did:orb SBOM? The following wiki page contains a sample SBOM, [[Did:orb#Software_Bill_of_Materials]]. | It is not clear who will be responsible for defining a SBOM. Here is one current problem in 2021. There is a open source product did:orb that includes a make file that depends on GCC (the Gnu Compiler). Now the problem is that there is no way to build the code without these tools. I am unclear how it could be possible to know if the tools provided any contribution the the finished products if it is required to build the product. So, is the GCC part of the did:orb SBOM? The following wiki page contains a sample SBOM, [[Did:orb#Software_Bill_of_Materials]]. | ||
* [https://www.csoonline.com/article/3649794/drop-the-sbom.html SBOM critique] 2022-02-22 CSO Online - Software bills of material are having a moment, but the costs of an externally visible SBOM are likely to outweigh the benefits, says Andy Ellis. | * [https://www.csoonline.com/article/3649794/drop-the-sbom.html SBOM critique] 2022-02-22 CSO Online - Software bills of material are having a moment, but the costs of an externally visible SBOM are likely to outweigh the benefits, says Andy Ellis. | ||
| + | |||
| + | It is certainly possible to create a simple list of dependencies and all it and [[SBOM]] But when standard teams get together they try to accommodate all sorts of use cases. Considering the case of the [[SBOM]] which could be a simple list of dependencies or it could be a modular model linking other types of data into an [[SBOM]] such as build tools and vulnerability data.<ref>Sara Friedman, ''Federal officials warn against increasing complexity when developing standards, policies'' Inside Cybersecurity (2022-08-26) https://insidecybersecurity.com/share/13832?sf169739228=1</ref><blockquote>“The risk in this approach is we’ve all seen the world littered with really great standards ideas that no one ever touches because they were too complex and they were trying to cover too broad [an area]. SBOM’s power is that it can apply to the entire world of software which is giant,” ranging from a cloud container to medical devices to 5G and 6G radio access networks. “Complexity delivers value,” but it can also be “the enemy of security and success.”</blockquote> | ||
==Solutions== | ==Solutions== | ||
| + | * The next step is proactively warning users based on their [[SBOM]]. [https://www.cisa.gov/news-events/alerts/2023/03/13/cisa-announces-ransomware-vulnerability-warning-pilot CISA Announces Ransomware Vulnerability Warning Pilot] 2023-03-13 | ||
| + | * [https://devblogs.microsoft.com/engineering-at-microsoft/microsoft-open-sources-salus-software-bill-of-materials-sbom-generation-tool/ Microsoft open sources Salus software bill of materials (SBOM) generation tool] 2022-06-12 | ||
| + | * [https://blackberry.qnx.com/en/products/security/blackberry-jarvis BlackBerry Jarvis 2.0] Software Composition Analysis and Security Testing for Embedded Systems<blockquote>A software bill of materials (SBOM) can help you identify critical information about software components, allowing you to detect potential issues with implications for intellectual property disputes, security risks or overall quality. BlackBerry Jarvis 2.0 provides a view of your product’s SBOM without depending on what your suppliers provide. It provides you with vendor and product details for each file via an interactive chart. BlackBerry Jarvis 2.0 helps you identify risks with multiple dashboards including those for Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE). It excels in accurately detecting vulnerabilities thanks to its ability to derive deep insights on many aspects of the security of a binary package. </blockquote> | ||
==References== | ==References== | ||
| + | <references /> | ||
| + | ===Other Material=== | ||
| + | * See the wiki on the [[Executive Order on Cybersecurity]] that mandated the use of the [[SBOM]]. | ||
| + | * [https://www.iiotsbom.com/iiotsbom-for-iot-device-manufacturers/overview-of-sbom-technology-support/ OVERVIEW OF SBOM TECHNOLOGY SUPPORT] | ||
| + | |||
[[Category: Glossary]] | [[Category: Glossary]] | ||
[[Category: Trust]] | [[Category: Trust]] | ||
Latest revision as of 22:52, 27 December 2023
Contents
Full Title
“Software Bill of Materials” or SBOM means a formal record containing the details and supply chain relationships of various components used in building software
Context
- While the term SBOM is not new, it received limited attention until the publication of the Executive Order on Cybersecurity on 2021-05-12.
- Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
- SBOM FAQ 2020-11-16
SBOM Formats and Standards
- The NTIA Software Transparency Working Group on Standards and Formats was formed at the outset of the NTIA initiative in 2018 to assess available current formats for software bills of materials as well as forward-looking use-cases identified by other working groups or communities of practice identified three formats in widespread use:
- Software Package Data Exchange (SPDX), an open-source machine-readable format with origins in Linux Foundation and recently approved as ISO/IEC standard.
- CycloneDX (CDX), an open-source machine-readable format with origins in the OWASP community
- Software Identification (SWID) an ISO/IEC industry standard used by various commercial software publishers
- Identify Software Identifiers in Commercial Use and Emerging Identifiers
- Common Package Enumeration - CPE
- Package URLs - PURL
- Software ID tags - SWID tag
- Software Heritage persistent ID - SWHID
- NTIA SBOM: Formats and Tooling PDF slide show
Problems
It is not clear who will be responsible for defining a SBOM. Here is one current problem in 2021. There is a open source product did:orb that includes a make file that depends on GCC (the Gnu Compiler). Now the problem is that there is no way to build the code without these tools. I am unclear how it could be possible to know if the tools provided any contribution the the finished products if it is required to build the product. So, is the GCC part of the did:orb SBOM? The following wiki page contains a sample SBOM, Did:orb#Software_Bill_of_Materials.
- SBOM critique 2022-02-22 CSO Online - Software bills of material are having a moment, but the costs of an externally visible SBOM are likely to outweigh the benefits, says Andy Ellis.
“The risk in this approach is we’ve all seen the world littered with really great standards ideas that no one ever touches because they were too complex and they were trying to cover too broad [an area]. SBOM’s power is that it can apply to the entire world of software which is giant,” ranging from a cloud container to medical devices to 5G and 6G radio access networks. “Complexity delivers value,” but it can also be “the enemy of security and success.”
Solutions
- The next step is proactively warning users based on their SBOM. CISA Announces Ransomware Vulnerability Warning Pilot 2023-03-13
- Microsoft open sources Salus software bill of materials (SBOM) generation tool 2022-06-12
- BlackBerry Jarvis 2.0 Software Composition Analysis and Security Testing for Embedded Systems
A software bill of materials (SBOM) can help you identify critical information about software components, allowing you to detect potential issues with implications for intellectual property disputes, security risks or overall quality. BlackBerry Jarvis 2.0 provides a view of your product’s SBOM without depending on what your suppliers provide. It provides you with vendor and product details for each file via an interactive chart. BlackBerry Jarvis 2.0 helps you identify risks with multiple dashboards including those for Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE). It excels in accurately detecting vulnerabilities thanks to its ability to derive deep insights on many aspects of the security of a binary package.
References
- ↑ Sara Friedman, Federal officials warn against increasing complexity when developing standards, policies Inside Cybersecurity (2022-08-26) https://insidecybersecurity.com/share/13832?sf169739228=1
Other Material
- See the wiki on the Executive Order on Cybersecurity that mandated the use of the SBOM.
- OVERVIEW OF SBOM TECHNOLOGY SUPPORT
