Attackers continue to successfully target third parties, as a way to more easily circumvent an organization’s otherwise robust cybersecurity. In response, regulatory bodies have started to take action. Some require a Software Bill of Materials, or (SBOM), which is a list of the components that make up a given software application. Simply put, an SBOM is the “digital supply chain” for a given system.
Here’s how organizations use the SBOM today and how it may help to better assess third-party security risk in the future.
If you deliver software to the U.S. federal government, you need an SBOM.
Despite existing for over a decade, SBOMs have returned to the forefront of cybersecurity following a surge in third-party supply chain attacks such as SolarWinds. In May 2021, an executive order was issued requiring that all organizations delivering software to the federal Government detail the components of that software in an SBOM. In 2022, the UK followed with a similar strategy for defending the public sector against cyber attacks called the Government Cyber Security Strategy: 2022 to 2030.
The main purpose of SBOMs is to enable better management of third-party security risk for the federal government and organizations doing business with them.
In addition, SBOMs are also valuable for organizations that need to:
- Conduct due diligence before an acquisition or merger. Organizations can use SBOMs to better understand the risk of the new product or service before acquiring it.
- Identify security risks earlier in the development process. These risks are particularly relevant for device manufacturers who incorporate one or more software applications into their hardware system and cannot go back and make changes after production.
- Ensure vendor compliance. SBOMs help organizations provide increased visibility to ensure that their software meets compliance and security standards. This includes but is not limited to highly regulated industries such as healthcare, finance, utilities and energy.
What is an SBOM?
According to the basic guidelines for the SBOM established by the National Telecommunications and Information Administration (NTIA), an SBOM is a detailed list of the data, automation support, practices and processes employed to develop software. Thus, the US Executive Order ensures greater transparency and visibility into the digital supply chain.
Not all digital supply chain vulnerabilities are created equal
Although the basic SBOM requirements are critical for gaining insight into the potential supply chain risk for vendors, they don’t communicate the vulnerabilities in software components, or the potential resulting damage were any of those to be exploited by hackers.
As a result, NTIA took an additional step in developing the Vulnerability Exploitability eXchange (VEX), a report on the status of vulnerabilities in a product. Since only a small number of vulnerabilities are exploitable, the VEX can drastically reduce the time developers and manufacturers spend exploring the potential risks in a given application.
The Future Adoption of SBOMs
Gartner estimates that 60% of organizations will adopt SBOMs by 2025. As more organizations understand their value, we expect to see increased adoption by security teams in the following scenarios:
Speeding software procurement
SBOMs can assist in shortening the purchasing cycle of third-party software. They can help identify security deal-breakers and provide in-depth software security analysis when in-house resources aren’t sufficient.
Vulnerability management and threat intelligence
The proliferation of connected devices makes it increasingly challenging for organizations to identify which components along the digital supply chain are affected by vulnerabilities. The SBOM and VEX assist in guiding vendors through these complex software relationships.
Valuable incident response data
After a security incident or a data breach, in your organization or a third-party’s, an SBOM can provide documented evidence and a trail of what went wrong, where and how the incident affected other areas, systems, or versions. It can be used with other security workflow documentation for additional verification, functioning as a source for any additional necessary information in the case of discrepancies.
Mapping Risk Across the Digital Ecosystem
While SBOMs today are a tool for evaluating third-party security risk management, they have even more potential. They can also provide a comprehensive map of the third-party dependencies in a government organization, the different relationships it has with those softwares and services and the potential damage of third-party security risk.
Automate Compliance verification to mitigate Third-party Security Risk
SBOMs are only effective if organizations and their security teams constantly update them with the latest software releases, updates, new third-party services, and bug fixes. Not keeping up with these changes can put your data and organization at risk. Panorays quickly and easily automates this process so your third parties’ security aligns with your company’s internal policies and regulations, saving you time and resources.
An organization using Panorays also enjoys the ideal vantage point from which to track and manage SBOM information. Panorays identifies both your subcontractors and their digital assets, making it much easier to assemble the SBOM for those who don’t yet have it. In fact, one of the best ways to keep track of your SBOM is by adding each entry in the SBOM as a monitored company in Panorays to continuously monitor them.
Learn more about how Panorays can help you automate your SBOM compliance.