SOFTWARE SUPPLY CHAIN REGULATIONS: How to achieve effective & efficient SBOM management?
This whitepaper targets product owners, product security managers and compliance professionals of manufacturers worldwide who need to understand and to achieve an effective & efficient SBOM management to comply with international regulations.
WHY EVERY MANUFACTURER WORLDWIDE NEEDS TO IMPLEMENT SOFTWARE BILLS OF MATERIALS (SBOMS)?
Executive Summary
This white paper explores the need for every manufacturer in the world of managing supply chain risks associated with software vendors and operators, as recognized by regulators in various industries.
Recent cybersecurity incidents have highlighted vulnerabilities in modern software supply chains, leading to the introduction of new rules and regulations. Software Bills of Materials (SBOMs)have emerged as a key focus within these regulations, providing tangible artifacts to enable effective supply chain risk management.
This paper focuses to educate manufacturer, developer, and integrator of connected products (IoT/IIoT/OT) on the importance of SBOMs and the necessary steps to address them.
It discusses the significance of SBOMs considering recent cybersecurity incidents, the challenges of software component integration, the role, and challenges of SBOMs in supply chain risk management, generating SBOMs, sharing SBOMs, and the use of SBOMs in complying with OSS licenses, reducing vulnerabilities, and securing software supply chains. The paper concludes by emphasizing the need for organizations to prioritize software supply chain management and implement robust security practices to mitigate risks effectively.
Background
Regulators across various industries have recognized the criticality of managing supply chain risks associated with software ven-dors and operators. Recent events have highlighted the vulnerabilities of connected systems due to modern software supplychains, prompting the introduction of new rules and regulations.Failure to comply with these regulations can lead to exclusionfrom markets and potential liability for negligence.1 2
These regulations cover a wide range of domains, including consumer IoT (such as Software Bills of Materials (SBOMs) have emerged as a prominent focus within these regulations, as they serve as tangible artifacts that enable key processes. Several regulations explicitly mention SBOMs, driving significant attention towards them. The following sections focus to educate manufacturer, developer and integrator of connected products (IoT/IIoT/OT) on the importance of SBOMs and the necessary steps to address them.
Today’s products and devices heavily rely on a complex combination of open-source and third-party software components sourced from the supply chain, in addition to in-house developed code. However, the prevalence of externally developed software introduces a lack of visibility for device and product manufacturers regarding the associated risks. SBOMs have been introduced as a regulatory requirement to address this issue and provide a means to gain visibility and control over supply chain risks. They enable manufacturers to understand the software assets within their products and devices beyond what is disclosed by their providers.
Generating an SBOM involves understanding the process and content requirements. Furthermore, utilizing automated SBOMs in conjunction with continuous threat monitoring can significantly enhance development efficiencies and reduce time to market for devices and products, while also addressing the evolving threat landscape.
THE CHANGING LANDSCAPE OF SOFTWARE SUPPLY CHAINS: SBOMS AND THEIR CHALLENGES
CYBERSECURITY INCIDENTS SHOW NEED OF SBOM
The significance of SBOMs considering recent cybersecurity incidents
The importance of Software Bills of Materials (SBOMs) has been underscored by two significant cybersecurity incidents. In August 2021, ONEKEY’s advisory highlighted severe vulnerabilities in Realtek’s SDK, affecting a wide range and hundreds of thousands of IoT devices. These vulnerabilities, stemming from lax security practices, continue to persist in many customer premise products, as revealed by Palo Alto in early 2023. This underscores the urgent need for Supply Chain Bill of Materials (SBOMs), providing transparency and accountability in software production and distribution. SBOMs play a pivotal role in identifying and rectifying vulnerabilities before they reach end-users, fortifying the security of IoT ecosystems.
Another incident occurred in November 2021 when Chen Zhao Jun, a security analyst at Alibaba Cloud Services, reported a critical vulnerability in the widely used Java logging library Log4j to the Apache Foundation. This vulnerability, known as Log4Shell(CVE-2021-44228), triggered a global crisis. Despite prompt fixes being released after Apache’s public announcement, Log4Shell was swiftly and extensively exploited. IT organizations faced challenges in identifying whether their suppliers had incorporated Log4j into their products, impeding mitigation efforts. Soft-ware vendors were inundated with inquiries and had to search for Log4j in their own products while rushing to release successive fixes. In many cases, they had to rely on their suppliers for patches from upstream sources. Consequently, numerous organizations remained unaware of the danger and took no action.
These incidents highlighted two crucial lessons: accidental vulnerabilities can have devastating consequences comparable to supply chain attacks, and managing exposure to both types of risks is challenging in modern extended software supply chains.
VULNERABILITIES COULD BE WEAPONIZED
Additionally, these incidents raised concerns about the potential mis-use of vulnerabilities if disclosures were not made publicly, as exemplified by the possibility that Log4Shell could have been covertly weaponized if exclusively disclosed to the Chinese authorities, as mandated by a recent Chinese law. The repercussions of these events have significantly drawn the attention of regulators to the critical nature of software supply chains.
RE-USING COMPONENT SHAVE INCREASED PRODUCTIVITY
The pervasive challenges of software component integration in modern development
In modern software development practices, there is a strong emphasis on integrating existing software components rather than starting
from scratch. This approach involves combining a smaller amount of new code with numerous pre-existing components, including proprietary and open-source libraries and services. The ability to reuse these software components has greatly advanced the abstraction, sharing, and consumption of such components, resulting in significant improvements in developer productivity.
The IoT revolution has effectively capitalized on the availability of highly reusable embedded and cloud software platforms. These platforms integrate solutions for various design challenges at a low cost, enabling the widespread adoption of connected embedded systems.
Many of these systems utilize an “IoT OS,” or embedded OS, often in the form of reference code from the microcontroller vendor, along with additional imported code such as peripheral drivers, board support packages, and application-specific libraries. In numerous cases, this imported code comprises the majority, ranging from 90% to 99%of the overall codebase. This approach has substantially reduced the costs associated with IoT/OT device development.
Importing software components has become such a commonplace and effortless practice that many projects incorporate them without much consideration, even though these components often come with numerous dependencies. Anything that aids project advancement is readily adopted. However, as this practice has become more prevalent, three significant problems have emerged.influence over the actions of their suppliers.
First, organizations that heavily rely on externally developed components surrender control over the quality and security of their own soft-ware. While they may implement cutting-edge quality techniques in their own projects, they have limited.
Furthermore, they may have limited visibility into the entire supply chain beyond their immediate suppliers.
The second challenge lies in keeping up with issues and security updates across a diverse range of externally maintained components. Software vendors must promptly assess, and address security notifications related to these components, as any vulnerability can expose customers to attacks.However, effectively managing this task is notoriously difficult. Even organizations that excel in this area often depend on their suppliers to do the same.
The third challenge arises when utilizing externally developed software that is provided under multiple copyright licenses. It is easy to lose track of the cumulative terms associated with these licenses and inadvertently become non-compliant.
Although not directly related to cybersecurity, non-compliance poses a risk of disruption due to potential litigation by copyright holders. As a result, corporate legal departments have begun to pay attention to this issue.
While the integration of software components offers benefits in terms of productivity and cost savings, it also presents notable challenges in ensuring quality, security, and compliance throughout the supply chain.Addressing these challenges requires organizations to prioritize soft-ware supply chain management, implement robust security practices, and establish effective communication and collaboration with suppliers.
Understanding the role and challenges of SBOMs in supply chain risk management
While Software Bills of Materials (SBOMs) have gained significant attention, it’s essential to recognize that they are not a standalone solution for supply chain risks. Instead, SBOMs enable effective solutions by providing a comprehensive list of software components.
Cybersecurity tools, processes, and policies become more impactful and less prone to blind spots when applied systematically against a diligently maintained SBOM. Therefore, the focus should be on implementing the broader set of solutions rather than solely relying on SBOMs.
It is crucial to appreciate that generating a usable SBOM is more challenging than it may seem. A well-designed SBOM needs to identify software components universally and unambiguously. It should include additional information such as dependency relationships, maintainers, and licenses, all in a standardized and widely shareable format.
Moreover, it should strive for completeness across various types of components and be continuously updated to reflect changes in the software it documents. Ideally, each software component should document its own dependencies, facilitating the creation of a comprehensive SBOM.
It’s worth noting that SBOMs are not entirely new. Many maintainers of IoT/OT libraries and devices already employ some form of software inventory to address these challenges or build their applications.
Furthermore, several vendors possess the capability to automatically generate reasonably high-quality SBOMs, even if they are not currently utilizing them. What’s novel is the grow- ing interest, driven by regulatory initiatives, in elevating supply chain security. This includes the standardization and communication of SBOMs throughout supply chains, along with heightened expectations for their effective utilization.
In the following sections, we will outline the essential components and main standards for SBOMs. We will also discuss how IoT/OT vendors should generate and share SBOMs, as well as how all stakeholders in the IoT/OT supply chain can utilize SBOMs effectively to mitigate cyber risks for IoT/OT operators.
The ONEKEY Product Cybersecurity & Compliance Platform (PCCP) enable manufacturer to automate their product security management from design to end-of-life, throughout the entire product lifecycle:
ONEKEY’s unique & proprietary binary ex-traction technology enables a deeper & more precise analysis of the binary firmware image without the need for source code. ONEKEY automatically generates a detailed SBOM, including software dependencies at all levels of the firmware.
Next, based on artificial intelligence and ma-chine learning, ONEKEY uses a natural language processing (NLP) approach to de-termine whether there are publicly known vulnerabilities affecting this software ver-sion. In addition, ONEKEY’s AI/ML-based approach automatically analyses the pre-conditions for exploitability of the vulnerabilities. In an integrated, automated impact assessment, the target device is analyzed if the prerequisites for exploitability are met, filtering out non-relevant vulnerabilities. This unique approach shortens response times by significantly reducing manual impact assessment and allowing development & ProductSecurity Incident Response Teams (PSIRT)to focus on the truly relevant vulnerabilities.
The ONEKEY Product Cybersecurity & Compliance Platform (PCCP) provides SBOMs on the fly - ready for export, in CycloneDX or other formats.
ONEKEY can generate an SBOM simply from a binary firmware image. The SBOM can be exported both in machine readable (i.e., Cy-cloneDX, SPDX) or human readable formats (CSV, EXCEL) to make them available to other systems, end users, and regulatory bodies.ONEKEY‘s firmware monitoring analyses the target product daily for new zero-day vulnerabilities or known vulnerabilities and performs automatic AI/ML-based impact assessments for all identified vulnerabilities. This enables manufacturers to react to new vulnerabilities in the shortest possible time and to create and distribute security patches.
Analysis and monitoring for automated security due diligence of third-party components- simply set up ONEKEY as a quality gate for any third-party component or product.
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.