In 2021, the software bill of materials — and its widely known acronym SBOM — joined the list of security buzzwords after President Joe Biden signed an executive order in May that makes the SBOM a requirement for federal contractors. It’s a step that adds federal contractors to the long list of industries that have been wrestling with the SBOM riddle, including medical device manufacturers, digital developers, and the automotive industry. SBOMs are a measure that security specialists have long sought across many industries to enhance software security, especially in the wake of high-profile cyberattacks, which increasingly target supply chains.
If we think about what it takes to secure a supply chain, it starts with knowing who your suppliers are and identifying and managing the risks that those suppliers may bring to your products and services — a discipline commonly known as Third-Party Risk Management (TPRM). Many TPRM programs frequently require their digital suppliers to follow secure development practices (Secure DevOps), but without an SBOM to identify all the components in the digital solution, there will be security gaps in your supply chain.
“To understand the cyber risk present in software products throughout the supply chain, an organization needs visibility into the components that make up the software product,” says Russell Jones, a partner with Deloitte & Touche LLP, US Cyber and Strategic Risk Practice. “If a malware or ransomware attack occurs in an Internet of Things (IoT) device or commercial off the shelf (COTS) product, companies have a complex web of software vendors to investigate and identify vulnerabilities among a multitude of open source and third-party software components. SBOMs are like ‘ingredient’ lists that can help security analysts (and adversaries just the same) more easily identify potentially impacted/vulnerable components.”
For IT and security teams, it’s especially helpful at providing insight into the security of the software applications they’re running inside their organizations — or the software that’s powering devices users rely on every day. And for end customers/users, the SBOM is the key to making sure that the products we rely on every day have every piece of their digital code identified and secured. An SBOM doesn’t prevent undiscovered vulnerabilities, but it can be incorporated into an organization’s vulnerability management process to identify weaknesses that may not be picked up on by traditional vulnerability scanning tools. Procurement organizations can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product prior to making a purchase. To prioritize the most critical cyber risks on the attack surface, the components of the attack surface must be known — and SBOMs are an additional weapon in the cybersecurity arsenal to provide that visibility.
“Markets thrive with transparency, and secure supply chains are a critical piece in the digital ecosystem environments that most organizations operate in today. Transparency builds trust among each of the supply chain players and that creates value.” says Deborah Golden, US Cyber & Strategic Risk leader for Deloitte & Touche LLP. “Consider the SBOM as a lever for trust, encouraging developers and software creators to deliver a complete SBOM and turning a previously murky chain of vulnerabilities into a source of value, driving preference and differentiation.”
Meet the Modern-Day SBOM
The SBOM has been gaining a foothold for some time among industries adopting IoT-connected devices. In the healthcare industry, for example, the connectivity of medical devices and systems enables better patient care. However, the connectivity also broadens the exposure of vulnerabilities across networks and the healthcare supply chain. A vulnerability in a third-party component upstream can potentially inflict profound downstream impacts on patient health, privacy, and safety.
At the forefront of the push to incorporate SBOMs, regulators, medical device manufacturers, and hospitals have been collaborating to develop proof-of-concept trials (POC) and examine standardization of the SBOM’s format and content. These proof-of-concept trials have yielded useful results, such as challenges with standard names for the same SBOM sub-components (e.g., a DLL file) coming from different threat intel sources (e.g., National Vulnerability Database vs. a commercial vulnerability scanning tool) and which SBOM use cases were the most practical to healthcare provider cybersecurity teams. The learnings from the POC trials are helping medical device manufacturers provide SBOMs with their devices that are useful to healthcare organization’s security and clinical engineering teams efforts to manage cyber risk in fielded medical devices.
“Medical device manufacturers developing SBOMs have been focused on creating machine-readable SBOMs that contain useful cybersecurity information that can be leveraged by hospital IT and security teams in their vulnerability management and incident response processes,” says Veronica Lim, a principal with Deloitte & Touche LLP, US Cyber and Strategic Risk Practice. “SBOMs may also help device manufacturers reduce their supply chain risks and provide better, faster support to hospital networks and healthcare providers.”
SBOMs have the potential to benefit the supply chain stakeholders of medical technologies without significantly increasing software production costs. Increasing transparency unlocks and enables trustworthy, resilient, and safer healthcare technologies for everyone.
Building the SBOM
The SBOM has some complexity because of the iterative nature of software — instead of a physical part that lives in a car wearing over time, software updates trigger SBOM updates. At its core, however, the tenets are the same as a manufacturing BOM or Jones’ ingredient example. To this end, it’s imperative that there’s a common language and standard that allows the multiple “ingredients” to be understood as the same regardless of who manufactured the ingredient (e.g., wheat gluten is understood as wheat gluten regardless of who manufactures it).
A standardized SBOM would include component names, license information, version numbers, the author of the SBOM, and the manufacturer of the component(s) within the SBOM. Since most of the software assembled today is composed of open-source software or third-party code, SBOMs should provide visibility across the supply chain for anyone building software, buying software, or operating software.
The future of SBOMS lies in the continued adoption and regulations. In order for SBOMs to be ubiquitous, there must be standardization of the SBOM format (e.g., SPDX, SWID) and more demand by commercial consumers, which is already starting to be seen in the sectors like healthcare and critical infrastructure, says Sharon Chand, US Cyber & Strategic Risk Secure Supply Chain leader at Deloitte & Touche LLP.
“International guidance and standards around SBOMs are necessary to get to the kind of efficiency needed to implement security and keep up with the pace of the threats,” Chand says.
By consolidating a list of components and versions in one place, SBOMs can save a significant amount of time otherwise spent manually searching for vulnerabilities by hand. And it’s easier to cross-reference software with sources, such as the National Vulnerabilities Database and integrate analysis into organizational vulnerability management systems. Automation can keep costs low. Initiating an SBOM for any piece of software can begin to answer critical questions about the provenance of software supply chains.
“The evolution of supply chain networks is driven by technology and organizations of all sizes are learning that any software supply chain is only as strong as the weakest link. Equipped with machine readable SBOMs and automated integration tools, supply chains can start to integrate trust and transparency into security practices, generating valuable ROI,” Golden says. “The humble SBOM creates a level of accountability across vendors for the security of software products and delivers a comprehensive view of risk that can empower customers.”
