Large-scale supply chain attacks pose a major challenge for information security professionals. According to cybersecurity firm Sonatype, attacks on supply chains have surged by a staggering 742% in the past three years.
To evolve security in the software supply chain, organizations should start by using tools provided by the open source community, said Thomas Steenbergen, director of the Open Source Program Office (OSPO) at EPAM Systems. I said it at the State of Open Con 23 conference. This includes developing a software bill of materials (SBOM).
The first occurrence of SBOM requirements was seen in U.S. President Joe Biden’s May 2021 executive order on improving national cybersecurity, issued in response to the SolarWinds supply chain attacks in late 2020.
Other countries have since followed suit. For example, the United Kingdom is proposing to introduce ‘Requirements in Government Procurement’. [such as] Certified Software Vendor [and] SBOM” Seek opinions on the resilience and security of your company’s or organization’s softwarewas published on February 6, 2023.
“Government agencies are now beginning to translate these principles into more workable requirements, and negotiations are extending beyond federal and national supply chains. The private sector is also considering,” said JP Morgan. Chase executive director Rao Lakkakura said.
Lakkakula continues the SBOM problem: Making an ingredient list for boxed chocolates. “
Another problem with creating an SBOM, Steenbergen argued, was “too much afterthought.”
“We need to build an SBOM upstream to automate getting these lists directly from the package manager,” he added.
Open source, the road to SBOM
While this is difficult to do with vendor-supplied software, tools exist to generate automated SBOMs for open source software, according to Snyk, which represent 90% of modern software applications. Steenbergen introduced one of them, his Open Source Software Review Toolkit (ORT), at the State of Open Con session.
ORT is an open source software policy automation and orchestration toolkit started in 2015 by Steenbergen and other OSPO representatives. We provide scanning tools for software licensing and security (software vulnerabilities, patches, etc.) and provide best practices based on company standards and InnerSource. is a software development strategy that applies open source techniques to proprietary code and can be used to create SBOMs.
“In terms of creating a perfect SBOM, we are not there yet, but it would be nice for countries to start demanding minimum requirements even if the SBOM is still very imperfect. Because it’s a first step. It’s a journey and we’re moving forward,” Steenbergen said. Information security.
“We are past the awareness stage and have gotten somewhat good at creating SBOMs and are working to get them upstream.
Join the debate. Sign up for Infosecurity Magazine’s online summit to hear two experts go head-to-head on the effectiveness of his SBOM.
The next step is “the consumption side of SBOM, which is still in its infancy,” he continued.
There are two challenges to overcome in this area. First, the need for a standard Vulnerability Exploitability Exchange (VEX). This is the system used to provide security advisories for each package. “There are at least four such initiatives in parallel,” he recalls Steenbergen. The second is the need for a test suite that links code to his SBOM lines. “Currently, applying the same software package to multiple SBOM tools yields very different results,” he said.
