Software Supply Chain and Security-Does the Software BOM Approach Work?

SBOM is currently a law in the United States, but it will be difficult for SBOM to work.

Over the past year, software supply chain attacks have affected the public sector and private sector as well. As services moved to digital and more complex deployments unfolded, the likelihood of flaws in these software supply chains increased. So how do you need to deal with this?

The US government gives an example. An executive order on cybersecurity to carry out the secure software development process has been announced. As part of this, all federal organizations require suppliers to provide a Software BOM (SBOM) for their IT projects listing all relevant components. Based on the guidance of the U.S. National Telecommunications Information Authority, these SBOMs provide a complete list of all software deployed throughout your organization and can be used to prevent potential future threats. ..

This approach aims to prevent vulnerable components from invading federal IT implementations and help their security teams plan ahead when new issues are discovered. By providing a complete picture of your internal and external IT projects, your team can prevent issues that lead to compromise over time and gain better insights into your software supply chain.

What can the UK Government learn from now on, and can other companies adopt something similar?

Does the SBOM approach work?

In theory, SBOM makes a lot of sense. It’s good to have greater visibility into your software supply chain, but to do this, you need to create a robust workflow that can handle all the changes that occur within your IT vendor’s products and internal IT assets. there is.

To do this right, there are some lessons you can learn from the IT Asset Management (ITAM) projects that most public sector organizations carry out. ITAM describes how organizations track hardware assets, software products, and licenses. The latest asset inventory provides an accurate overview of all the software installed throughout your organization. Based on this, you can track your assets, flag potential issues and software vulnerabilities, and flag when updates occur.

However, ITAM is even more difficult to implement and maintain correctly. With so many software assets and multiple platforms in place, changes are constantly occurring. After Covid-19, this is when the IT team has to scramble to provide more endpoint assets for telecommuting, or when the user simply takes the corporate device home. It became even more difficult. Not present in the cloud or on the official management list.

ITAM moves to a “too difficult” mountain for many businesses and public sector organizations

For many businesses and public institutions, ITAM moves to the “too difficult” mountain because it is difficult to maintain an accurate list of assets and software. However, without an accurate list of assets, it is impossible to understand potential vulnerabilities. For SBOM, overcoming this hurdle is essential to fulfilling its value promise.

Advanced level support is required for SBOM to work effectively. The fact that the US government mandates SBOM helps here because all vendors need to put them together in a timely manner. A new SBOM is required each time a product or service component is updated.

For vendors, automating this process will enable them to efficiently distribute this information to everyone who needs it. It will be more difficult for internal teams to keep track of all the products and software projects underway. The NTIA is proposing that this will be automated in the future, which should ease the process. For other companies and public sector organizations under consideration, this automation process must be something they can learn and adopt.

Combining established ITAM, vulnerability management, and software supply chain management processes gives you a complete picture of what your organization is doing. By using this data over time, IT teams can prioritize what needs to be updated, see what needs to be mitigated, and make it even more effective for suppliers to fix software issues. You can apply pressure.

The future of SBOM

Combining the Executive Order of the Government of Biden with the NTIA Minimum Standards Document, it informs everyone involved in the software supply chain of its role and responsibilities in improving security. It can provide a blueprint for governments around the world to follow. However, there are some lessons to be learned from existing processes for tracking IT assets. Especially in the UK, IT process management is relatively advanced thanks to the adoption of ITIL in the past, but not all IT teams use this framework.

Tracking updates using SBOM helps IT teams track how suppliers update their software products, which helps prevent problems early. However, it is difficult to prioritize and put pressure on where you need it unless you rely on the supplier to provide the data in a timely manner. Without a combination of internal and external data sources, it is difficult to keep this information in context. Without executive-level support, it is difficult to keep these programs running and provide value.

There are many factors to make it right, but doing so should help SBOM keep public services more secure.

Matthew Middleton-Leal is Qualys’ Vice President of EMEA.


Software Supply Chain and Security-Does the Software BOM Approach Work?

Source link Software Supply Chain and Security-Does the Software BOM Approach Work?

Back to top button