“Cybersecurity and SBOMs – I’m Stumped in Seattle”
Dear Sloan,
What’s an SBOM? Is it part of cybersecurity? I hear people at work talking about this, and I’m afraid to ask. I am stumped, I don’t want to look foolish for not knowing, and I don’t want to fake like I do know what it is.
Thank you,
Stumped in Seattle
Dear Stumped About SBOMs and Cybersecurity,
There has been a lot of news about cybersecurity and SBOMs, and you’re probably not alone feeling stumped. SBOM is an acronym for Software Bill of Materials, and it represents a step toward secure coding practices. The term is borrowed from the manufacturing industry’s BOM (Bill of Materials). The BOM tracks components, parts, and raw materials, all the ‘things’ needed to assemble a vehicle, for example. The BOM lists where every single component was manufactured.
Remember the defective Takata airbags that were recalled? Car manufacturers were able to track all affected vehicles thanks to the record of parts contained in the BOM. With this data, manufacturers could quickly see a list of affected parts and issue recall alerts, and more expediently resolve the issue and save lives.
The SBOM works in much the same way as the BOM. It serves as a type of production roadmap, detailing every component’s journey across the software supply chain. Think of it this way, when you’re developing software, how much of it uses third-party software components? This includes both proprietary and open source software. I’ll assume your answer is in line with the industry standard, which is 80%! Can you see why it’s important to know what that 80% is made up of, and how you could track back to it if necessary? (Have you heard of the recent Log4j issue?)
More specifically, the SBOM:
- is a series of metadata applied specifically to software
- provides key information such as:
- component names
- license information
- version numbers
- vendors
You Could Be Sued
I really hate to bring this up, but do you remember the 2017 breach of our personal information that occurred at a multi-national consumer credit reporting agency, leading to massive exposure of millions of customers’ records? Of course you do. Did you know that the FTC sued them, and settled the claim for $700 million. The basis for their claim was that they knew of the Struts vulnerability, and their failure to promptly patch and safeguard their applications caused substantial injury to consumers. The settlement involved not just the FTC, but also the Consumer Financial Protection Bureau (CFPB) and all 50 states in the U.S. If that credit reporting agency had an SBOM, they would have been much better positioned to handle this situation.
Generate an SBOM – On Executive Order of the President of the United States
Recently, the president’s administration issued a cybersecurity executive order (EO). I won’t go into all the nuances here, but I can tell you an SBOM is part of that order. Sonatype’s blog post, Biden’s Cybersecurity Executive Order: Everything You Need to Know You Learned in Kindergarten is a really great primer on what it is, and what it means to you.
Does this help you feel less stumped in Seattle? Go ahead and add your comments or questions in the comments below. Keep in mind, there are plenty of other great blog posts on the topic, check out Sonatype courses, or take a look at our video on how to find and fix log4J.
Yours Truly,
Sloan
~ Making Cyber a Safer Space