SBOMs are a no-brainer: 4 takeaways from MITER’s Software Supply Chain Security Summit


With attacks targeting the software supply chain on the rise — and a very real new category of risk for security teams and CISOs — software bills of materials (SBOMs) are being hailed as “no-brainer” by both government and industry experts.

SBOMs have become a major talking point in the conversation about how best to secure the software supply chain. MITER’s 2022 Supply Chain Security Hot Topics Summit, moderated by MITRE’s VP of Cyber ​​Technologies Wen Masters, Ph.D., was attended by representatives from the private and public sectors, all of whom had something to say about SBOMs.

The MITER panel consisted of three top experts in the field of software supply chain security: Allan Friedman, Senior Advisor and Strategist at the US Cybersecurity and Infrastructure Security Agency (CISA), Michael Worden, Technical Director at Raytheon Technologies, and Brian Knight, Principal Product Manager at Microsoft. The panel demonstrated Industry and government agree on one key point: SBOM adoption is critical to securing the software supply chain.

Here are four key takeaways from the MITER panel.

[ Get a free SBOM and full supply chain risk analysis report ]

1. SBOMs are a no-brainer

As we’ve already discussed, SBOMs serve as a good first step for any organization that produces or uses software. Similar to the iconic black and white food nutrition label, SBOMs list a software package’s ingredients and classify those components by origin and severity.

As part of his role at CISA, Friedman became the federal government’s SBOM “cheerleader.” At the beginning of the MITER panel, Friedman introduced his SBOM talking points by defining SBOMs and mentioning the importance of the Biden administration’s executive order to improve the nation’s cybersecurity (14028). This executive order served as the catalyst for a series of official documents released by the federal government to develop policies to secure the software supply chain.

These federal guidelines include the National Institute for Standards and Technology (NIST) Secure Software Development Framework, the Enduring Security Framework Working Group report on “Securing the Software Supply Chain” (PDF), and the Office of Management and Budget (OMB) Memorandum M- 22-18 (PDF). Each of these federal guidelines cites the use of SBOMs as helpful in mitigating risk in the software supply chain.

While SBOMs are a relatively new concept, Friedman said companies should act quickly to adopt them.

“There is no reason why a company with a non-trivial security maturity cannot start producing SBOMs based on its software, request SBOMs from its suppliers and start consuming them.”
Alan Friedman

Raytheon’s Worden offered the practitioner’s perspective as a leader in the cybersecurity industry and largely reflected Friedman’s points.

“As safety engineers, we are never sure… We focus on the burden of truth… [An SBOM] helps us to come to a burden of truth.”
Michael Worden

Referring to the power of SBOMs, Worden emphasized the importance of transparency for security practitioners and the rest of the industry. He believes SBOMs are able to shed light on what can potentially compromise any software package, making it an indispensable tool for practitioners.

“The power of SBOMs is that they can be applied to the entire world of software,” Friedman said, allowing security practitioners, regardless of their industry, whether it’s medical devices or financial technology, to gain insight into the software they’re targeting they rely on, Friedman said.

2. There is much more work to be done in the introduction of SBOM

While efforts to secure software and encourage the use of SBOMs are going in the right direction, more work is needed to increase the acceptance of SBOMs and make them both workable and useful, experts agreed.

For example, Worden emphasized that security practitioners need insight into the data that can represent risks in the software supply chain: “The next step is to … drive the development of useful analytics,” he said. Tools like SBOMs will only help improve software security if the software industry as a whole is actually willing to create and use them. Until adoption is high, security practitioners will remain in the dark when assessing software supply chain risk, experts agreed.

This was also a conclusion of a Dimensional Research survey, which found that only 27% of software companies create and review SBOMs. Additionally, an overwhelming 9 out of 10 software experts warned that the difficulty of creating and verifying SBOMs is increasing.

3. Automation is a must

With the threat landscape and development environments constantly changing, automation is key if SBOMs are to be effective, experts agreed.

“If we can’t do this through automated tools at scale, we will fail.”
Alan Friedman

At the practitioner level, Worden also shared concerns about a lack of automation: “How do you automate this so that we can respond at the speed that software is evolving?”

Both Friedman and Worden, representatives of government and industry, agreed that without automation at the micro and macro levels, SBOMs will take software security efforts in the wrong direction.

4. SBOMS must evolve alongside risks

As the industry learns more about risks to the software supply chain, SBOMs must evolve as well, experts agreed. “We anticipate that the amount of what constitutes an SBOM will increase,” Friedman said, based on previous requirements for SBOMs that were established in 2021 and are no longer appropriate.

The evolving trends surrounding the use of SBOM show that securing the software supply chain will be a journey, Friedman said. This means the software industry must adapt SBOMs to the changing threat landscape to support security practitioners.

“We need to tell better stories about what SBOMs mean.”
– Allan Friedman

keep learning

*** This is a Security Bloggers Network syndicated blog from the ReversingLabs Blog written by Carolynn van Arsdale. Read the original post at: https://blog.reversinglabs.com/blog/industry-and-government-agree-sboms-are-a-no-brainer