in ,

Council Post: How SBOMs Help Uncover Vulnerabilities In Enterprise Applications

Chief Product Officer at CodeSecure, where he leads product strategy for the company’s application security testing product portfolio.

Software programs often contain components from open-source libraries that developers use to streamline development operations. In fact, a study by the Linux Foundation and Harvard University estimated anywhere from 70% to 90% of any piece of software could be made up of free and open-source software from libraries.

But, as recent cases like the Log4j vulnerability have shown, those practices make it hard to assess commercial software supply chain risk.

Because of this, the software bill of materials (SBOM) has become the go-to solution to identify the threats of software vulnerabilities and software supply chain attacks. In fact, the federal government has made SBOMs a cornerstone of its cybersecurity policy.

An SBOM is a detailed record of every software component including open-source code, libraries, dependencies, version and license information and even software vulnerabilities contained in an application. SBOMs are also a key component in securing commercial off-the-shelf (COTS) software applications that enterprises deploy including business productivity tools, IT management products, security products and more.

In this article, I’ll examine how SBOMs can help uncover hidden vulnerabilities as well as what companies need to know about creating them.

Addressing Software Supply Chain Risks

As we have seen time and again, apps that organizations implement right out of the box can introduce unintended attack vectors. The hack involving SolarWinds and other companies, for example, propelled the government to throw its weight behind SBOMs.

Organizations like to maintain an inventory of the assets in the software they develop, but it can be a black box when it comes to the software they buy. Having an inventory of your software inventory used to mean asking suppliers to self-attest if they were following secure development practices such as having third parties evaluate and test the software. Now, that is not enough; enterprises are going deeper, looking for more visibility into exactly what components are inside the box they’re buying, and SBOMs let them trust but verify.

Sadly, the process is not standardized, which leaves enterprises struggling when vulnerabilities like Log4j or Heartbleed are flagged. Everybody is doing their own thing, supplying SBOMs or not and communicating about known vulnerabilities at their own pace.

When news of Log4j first surfaced, many enterprises spent weeks scouring their networks to determine whether they were exposed to the vulnerability—and if it was being actively exploited in their environment. With an inventory of their software artifacts provided by SBOMs, the assessment would have taken minutes not weeks. The mean time to detection and response window, a critical factor in threat mitigation, would have been dramatically reduced.

OpenSSL is another example of the challenges faced by the commercial software supply chain. The popular open-source toolkit for secure communications is nearing its end of life, and version 1.1.1 will no longer be supported with free security updates and patches after September 2023. Without SBOMs, organizations will struggle to determine if they have vulnerable code running in their networks and how to handle end-of-life issues.

SBOMs are also an effective procurement tool, allowing organizations to assess the risk of new COTS applications they want to deploy by identifying hidden dependencies such as OpenSSL. Procurement practices are adopting more shift-left principles and bringing security into the process of software selection, much like software engineers are incorporating security into the software development process. Enabled by having a clear inventory in the form of an SBOM, procurement can now make go/no-go deployment decisions when evaluating new COTS software.

The same approach can be used for securing aging custom-built applications. Developers who wrote the source code for most legacy enterprise apps are often no longer with the organization. In fact, 69% of software engineers stay with the same company for two years or less on the job. So, whoever coded those remote-work apps at the start of the pandemic pivot has probably switched jobs by now.

Applying the same discipline to legacy apps as COTS software by generating SBOMs for them can go a long way to address the security and risk management baked into them. A single standard provides visibility and control.

Adopting SBOMs

Overall, SBOMs are crucial for improving software security, ensuring compliance and managing vulnerabilities throughout the software development life cycle. Both pre-production and post-production SBOMs, utilizing source code and binary software composition analysis (SCA) tools, respectively, contribute to a comprehensive solution.

Pre-production SBOMs are used during the planning, design, development and coding stages to assess feasibility, manage open-source components, ensure compliance and perform quality assurance. Post-production SBOMs, generated by binary SCA tools, come into play during deployment and distribution, vulnerability management, incident response, patch management, compliance and auditing.

SBOMs can be key to bringing legacy systems up to code, running networks safely today and preparing for tomorrow’s challenges. They are a powerful tool for shoring up an organization’s security posture and limiting its exposure to software supply chain security risks that are increasingly affecting commercial, off-the-shelf software.

Whether it is ensuring software is free of known vulnerabilities now, having the visibility to respond when vulnerabilities surface or preparing for future challenges such as end-of-life for widely deployed building block code, SBOMs provide transparency and a verifiable way to maintain an inventory of an organization’s software inventory—regardless of the origin of an application.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

This post was created with our nice and easy submission form. Create your post!

What do you think?

Huge leak reveals Microsoft will launch an all-digital Xbox Series X and new gyro controller

Huge leak reveals Microsoft will launch an all-digital Xbox Series X and new gyro controller

The Morning After: Amazon's plans for yet another sales event

The Morning After: Amazon’s plans for yet another sales event