Understanding SBOM “Software Bill of Materials” and lower-level controls.
Throughout the government, several initiatives are underway to support the presidential Executive Order on Improving the Nation’s Cybersecurity issued in May 2021. This order includes implementing a zero-trust framework and providing greater visibility into application vulnerabilities through a Software Bill of Materials (SBOM) that identifies third-party and open-source components in the codebase.
Software developers and vendors often create products by assembling existing open source and commercial software components. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for more significant benefits through automation and tool integration.
In short, the SBOM acts like the nutrition charts on food packages. Many software companies use open-source code that can’t be validated for continued security.
To illustrate the need, the Army runs 23 depots, arsenals, and plants where networked systems control the machinery that churns out explosives, ammunition, weaponry, and other industrial materials critical to the ground service’s warfighting operations. But officials are concerned the so-called “operational technology” at those facilities and other critical infrastructure locations could be susceptible to digital hacks, tampering, and other cyber incidents.
“Any network compromise would disrupt production and could destroy equipment, injure workers, and impact coordination with multiple partner agencies,” the Army states. “Any insecurities in the systems that support these OIBs (organic industrial base) could pose grave national security risks.” Indeed.
Therefore, the Army is asking its vendors for information on open-source code and third-party applications to identify vulnerabilities and secure their operational technology (OT) and information technology (IT).
Businesses need to address cybersecurity in new ways.
Businesses have invested much money, effort, and technology into addressing cybersecurity challenges. And many are doing it the wrong way:
- Addressing issues by applying patches, which then become so numerous they cause issues
- Investing money in cybersecurity technology and neglecting other critical investments like automation and DevSecOps
- Emphasizing perimeter defenses, creating larger attack surfaces for large target targets
- Using generic scanning tools, producing generalized results that don’t necessarily provide actionable intelligence
- Neglecting to automate and streamline compliance, resulting in rising costs they pass on to their clients
As a result, businesses would do well to focus on four strategies that can ease their compliance burden, reduce risk and help them spend more wisely:
- SBOMs: Learn who and what is behind your code to ensure the most secure acquisitioning and gain actionable intelligence about your codebase.
- Automation: Automation solutions like ConfigOS can scan and remediate compliance issues in a fraction of the time it takes for a human. And an added benefit is that lower-level specialists can learn the software in an hour or two, enabling them to implement requirements they might not otherwise be able.
- DevSecOps: By “shifting left” and baking security into the development process, you reduce vulnerabilities and create a more iron-clad solution
- Zero Trust: A Zero Trust architecture goes beyond perimeter security to encourage distrust of users, networks, or locations when accessing data.
Let’s not forget about the lower-level controls.
“Controls” are individual security requirements specified by the National Institute of Standards and Technology (NIST). NIST’s encyclopedic Special Publication 800-53 (currently on revision 4) is the definitive guide to security and privacy controls for federal information systems. When you have scanned and remediated your controls for vulnerabilities, you will have a secure baseline and, in the government, authority to operate (ATO).
Now here comes the tricky part, which controls are already taken care of by your infrastructure, and what is the new impact on the applications already running on the infrastructure? What type of ATO do you need to achieve, and how do you coordinate with your information security team to add, remove, or modify controls to achieve cost-effective, risk-based security determined by the mission? Do you have a continuous monitoring process to keep your system secure once you’ve established the initial secure baseline? Securing systems connectively in an increasingly integrated world makes everything way more complicated.
The supply of experts is dwarfed by the demand for person-hours to do all the cybersecurity work, which is why automation is increasingly critical. Go beyond generic vulnerability scanning to receive actionable intelligence unique to your system and needs. By leveraging automation, you can ensure continued secure system-level control effectiveness and document processes for a more mature cybersecurity posture—in far less time and with far less effort than you are using now.
SBOM is just the start of a complex security journey.
While the US Army is securing its SBOM data from various vendors and third parties, they acknowledge the intent is for the critical infrastructure cyber protection program to go further. “There’s the Internet of Things, all the sensors that go into a multitude of systems that we don’t understand the supply chain behind,” says Army CIO Raj Iyer. “This is a much broader need.”
As any cybersecurity program progresses, it reveals places where more work can be done. From SBOM data to vulnerability scanning data and continuous diagnostics and mitigation, having actionable intelligence makes a huge difference. Between the intelligence and time savings automation offers, you’ll get to ATO faster. To see how solutions like ConfigOS work, schedule a demo today.
Leave a comment
