Latest news with #SoftwareBillsofMaterials
Yahoo
30-04-2025
- Business
- Yahoo
The Pentagon must balance speed with safety as it modernizes software
The Department of Defense is at grave risk of being caught flat-footed by the next software vulnerability. When an adversary discovers it, the Pentagon may not know which systems are exposed until substantial damage has been done. This blind spot is dangerous. The Pentagon needs to balance expediting its software acquisition process with a better system for gauging prospective vulnerabilities and mitigating harm in the event of an attack. DOD understands the need for software modernization and is taking steps to improve both its development and procurement methods. A recent directive designates the Software Acquisition Pathway (SWP) as the primary process for creating both weapons and business systems. This necessary evolution marks a shift from lengthy, hardware-focused timelines to a faster and more flexible software-centric model. SWP streamlines development and emphasizes speed by allowing programs to share and repurpose software test results. While speed is important, this new approach also magnifies potential vulnerabilities: If a flaw goes undetected in one project or only comes to light after initial testing, there may be no subsequent security tests to identify it. This creates a critical visibility problem. Software is constantly changing. A system that passed security tests last month could be vulnerable today because of a newly discovered flaw in one of its dependencies. Without a clear record of what is inside each software package, there is no reliable way to assess whether existing test results still apply. To remedy these challenges, the Pentagon should require Software Bills of Materials (SBOMs) for all software it acquires and manages. SBOMs will prepare the Pentagon to quickly respond and mitigate software flaws that adversaries exploit to conduct espionage and disruptive cyberattacks. They should be complemented by Vulnerability Disclosure Reports (VDRs) from software's original producers and a centralized system to track and share this information across the DOD enterprise. SBOMs are digital manifests that list the ingredients of a software package — every component, version, and dependency. They give cybersecurity teams the context necessary to act quickly when a vulnerability emerges. Requiring SBOMs will enable the Pentagon to trace threats and pinpoint risk in minutes rather than hours or days. The benefits are not hypothetical. When the Log4Shell vulnerability hit in 2021, organizations with SBOMs immediately identified their exposure to the compromised Log4j library. Entities without them scrambled, manually combing through codebases and vendor lists. That sort of delay is not just inefficient in a defense setting — it is a catastrophe. Other countries recognize this as well. India, for example, has explicitly endorsed SBOM requirements in public sector procurement, while the British government has publicly acknowledged the benefits of SBOMs for tracing vulnerabilities in cyber components. Although SBOMs provide transparency into a product's components, they do not fully demonstrate whether a given vulnerability is exploitable. That is why the Pentagon should complement SBOMs with VDRs from the product's original developers to make that determination. When researchers discover vulnerabilities in component pieces of software, only the producer has the expertise to confirm whether the vulnerability affects their product. Similar to how a thorough home inspection reveals potential hazards or a Carfax report tracks issues with cars, a VDR is a dynamic document that details known weaknesses or issues with a software product. As a result, a VDR is just as essential to effective software risk assessment as an SBOM. Furthermore, SBOMs and VDRs save time and money. They reduce redundant testing, speed up incident response, and help acquisition teams verify that what they procure is safe. The up-front cost of implementation is small compared to the damage a breach could cause, not just in dollars but in mission impact. DOD policy already supports the principles behind SBOMs and VDRs. The SWP encourages continuous testing and automated security checks. Executive Order 14028 directs federal agencies to enhance software supply chain security and allows them to request SBOMs from vendors, particularly for critical software, as part of broader secure development and procurement practices. Guidance from the Office of Management and Budget states software suppliers must ensure no known exploitable vulnerabilities are present in software released to the market, a requirement echoed in the EU Cyber Resilience Act and CISA's Secure Software Attestation Form. The DOD Cybersecurity Test and Evaluation Guidebook, the Army's 2024 directive on software transparency and guidance from the National Institute of Standards and Technology reinforce this direction. The foundation is there, but the recommendations outlined here need to be put into practice. To do that effectively, the Pentagon also needs a plan to manage the information it gleans from SBOMs and VDRs. If each DOD office or military unit stores these artifacts in separate systems, the visibility problem will not disappear. Instead, DOD needs a centralized repository, a common platform where teams across the department can access SBOMs, VDRs and other attestations to inform decisions, track risks and avoid duplication. That capability already exists. CISA's Repository for Software Attestations and Artifacts (RSAA) portal provides centralized, secure storage for SBOMs and related artifacts, including VDRs, accessible to all U.S. government agencies. Leveraging RSAA as a government-wide resource requires no new infrastructure or cost, and it can serve as the backbone for software transparency efforts moving forward. Speed is critical. Speed without insight and security is a gamble. As the Pentagon races to modernize its software acquisition, it must do so with a clear knowledge of what it is operating. The solutions proposed here are easily implementable, cost-effective and will advance a secure supply chain worthy of the missions it supports. Dr. Georgianna 'George' Shea is chief technologist at the Foundation for Defense of Democracies' Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab. She is at the forefront of cybersecurity innovation with nearly 30 years of pioneering experience across federal and commercial sectors.
Forbes
29-04-2025
- Business
- Forbes
SBOMs (as well as HBOMs and CBOMs) as Cybersecurity Facilitators
Cyber security, information privacy and data protection concept on server room background. Software Bills of Materials (SBOMs) are crucial cybersecurity tools because they assist companies in locating, evaluating, and reducing software risks. They allow software updates and vulnerabilities to be tracked over the course of a product's lifecycle. Modern software is created using code fragments and methods from various sources, including open source and commercial solutions. The software components and dependencies of an application are detailed in a tool known as a Software Bill of Materials (SBOM) (NTIA, 2021). An SBOM is essential for managing and understanding the complexities of contemporary software supply chains and can be compared to an ingredient list on a food product label. A software package and its contents are uniquely identified by an SBOM, which is formal, machine-readable metadata that may also contain information on the software package's contents, such as copyrights and license information. The increasing complexity of modern software and its vulnerability to programming errors and hacks give rise to serious security dangers and compatibility issues. Additionally, cyberthreats are continually finding ways of evolving, becoming more complicated, and multiplying due to the use of artificial intelligence and the quick acceleration of development velocity. It becomes more difficult to identify and address security vulnerabilities when we are looking not only at our codebase but also at the 70–80% open-source software that we depend on, as well as third-party software components from other vendors. However, a few tools can assist in handling the data protection work. Recent high-profile events highlight the need for SBOMs in cybersecurity. A programming flaw in the CrowdStrike software, for instance, affected more than 8.5 million Windows computers globally, resulting in billions of dollars' worth of losses. The well-known Linux data compression program XZ Utils was found to contain a backdoor as part of a sophisticated state actor attack around the beginning of 2024. 93% of cloud settings were vulnerable to the zero-day Log4Shell vulnerability in 2021. In the SUNBURST assault, which FireEye discovered in December 2020, harmful code was embedded into SolarWinds' Orion software. According to Allan Friedman, CISA Senior Advisor and Strategist. 'A thriving ecosystem for SBOM tools and solutions will be key to shaping a more transparent software-driven world.' He notes that 'Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently. The government-wide push to integrate cybersecurity into products supplied to the government and transfer responsibility for cybersecurity from agencies to vendors and integrators is reflected in this emphasis on SBOMs. By February 2025, almost all new software that the Army purchases or develops will need to have an SBOM. In order to obtain assurances regarding supply-chain security, the Army opted for an SBOM approach rather than self-attestations. This is because SBOMs offer essential information regarding the risks that systems may pose to a network and can assist in organizing an organization to minimize those risks as much as possible. 3D illustration of the text zero trust over black background with padlock shapes in relief. Concept ... More of network security. SBOMs play a significant role in cybersecurity and align with 'Zero-Trust' policies in both the private and public sectors. Dmitry Raidman. Chief Technology Officer and Co-founder of Cybeats, states, 'One significant advantage of a verified SBOM is its application in cybersecurity and risk mitigation for the downstream customers, for example, a power distribution plant, hospital, or water treatment facility. Industry studies indicate that the average codebase contains 70-80%, and in some cases over 90% open-source software components, many of which have at least one vulnerability, and some of them are highly exploitable, like Log4j. Therefore, understanding and continuously monitoring code components and their vulnerabilities is essential.' He points out that companies that collect from vendors SBOMs and invest in solutions to process and monitor the vulnerability lifecycle management of their assets will be better prepared to deal with cybersecurity challenges in the future and ensure the safety, security, and resilience of their critical systems and infrastructure. SBOMs can help businesses track vulnerabilities in real time and maintain an accurate software inventory. Continuous security requires ongoing Vulnerability Lifecycle Monitoring. In order to detect and address known vulnerabilities and not just rely on security advisories published by vendors, where it is to the vendor's discretion what vulnerability to disclose, an SBOM can offer transparency into the precise software versions being used and allow complete understanding of the threat landscape. Additionally, it facilitates the management and quantification of commercial software licenses. Organizations can compare SBOM data with databases like NIST NVD and CISA KEV to find and prioritize affected systems when new CVEs are found and also record their findings if the vulnerability doesn't pose a risk in their operations and environment. To help evaluate SBOM component information against different threat signatures and patterns, the National Security Agency (NSA) supports the use of AI/ML engines and related "data lakes." A crucial component of efficient SBOM management is vulnerability tracking and analysis, which entails delivering daily updates from the National Vulnerability Database (NVD) and additional vulnerability data sources. SBOMs are crucial for Incident Response and Threat Intelligence. They help security teams quickly identify compromised components in apps and determine available mitigation options and vendor updates during a cyber incident. A major cause of breaches is vulnerabilities based on the Verizon 2025 DBIR Report. There is a 34% increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches, compared to 2024. The bling spot of awareness and a patching strategy is a significant factor affecting these numbers. Risk-Based Patch Management suggests that not every vulnerability needs immediate fixing. Teams can prioritize threats by combining SBOMs with Vulnerability Threat Intelligence (VTI), particularly if there's a known exploit for mitigating vulnerability. Compliance and regulation concept. Enforcement of laws, regulations, and standards, requirements, ... More internal policies and procedures. Minimize legal and financial risks, protect corporate reputation. GRC, SBOMs assist in ensuring compliance and regulatory readiness throughout the procurement lifecycle and can help to avoid buying non maintained and non-secure product. Organizations are required to demonstrate that they monitor and manage risk throughout their software supply chain lifecycle in accordance with new government regulations regarding safe software development. SBOMs provide documentation for compliance with FDA, NIST, PCI DSS, PCI SSF, EU CRA, RED, ETSI EN 303 645, BSI TR-03183, EO 14028, as well as the upcoming US DoD procurement requirements. A "software bill of materials" (SBOM) has become a crucial component of software security and software supply chain risk management, according to CISA. As businesses rely more on third-party components and complex systems, software supply chain security has become a top responsibility. Vulnerability management must be implemented throughout the software lifecycle, from design to deployment and operations, to handle the entire range of security threats. This all-encompassing strategy, sometimes referred to as "shifting left and even more important shifting right, guarantees that vulnerabilities are consistently recognized, evaluated, and reduced. In 2019, the medical technology sector launched a proof of concept to assess SBOMs' ability to manage operational and cyber risks in medical devices. Device makers (MDM) and healthcare (HDO) providers demonstrated the feasibility of SBOMs by producing, exchanging, and applying data to improve security procedures. In 2025, with a growing digital risk landscape, all industries must utilize SBOMs to help enable better cybersecurity and transparency into software based products they build and the ones they consume. It does not end with software. As teams embed AI models and language pipelines across their products, an Artificial Intelligence Software Bill of Materials (AI SBOM) becomes essential. An AI SBOM lists every model file, training dataset, agent, and external inference service, giving product security teams the same clear inventory they expect from a traditional SBOM, down to the last line of code. Dmitry Raidman explains that an AI SBOM provides 'an X ray view of the intelligent functionality,' allowing teams to know exactly what is running in production, how it was trained, and what they are receiving from vendors or delivering to customers. A Hardware Bill of Materials (HBOM) performs the same role for physical components. It maps every chip, board, sensor, and firmware version so security and procurement teams can detect counterfeit parts and unvetted substitutions before they reach production. A long-planned pager hardware supply chain attack reported in Lebanon underscored why HBOM transparency and validation matter; altered pagers were covertly introduced and later exploited, showing how a single tampered device can become a beachhead for wider compromise when hardware provenance is unclear. A Cryptography Bill of Materials, CBOM, catalogs every algorithm, protocol, library, and certificate in your products, giving security teams a clear map of where cryptography lives. With quantum safe standards such as CRYSTALS Dilithium on the horizon, you must know exactly where RSA 2048-bit or ECC P-256 still protect data so you can schedule timely upgrades to post quantum cryptography. Dmitry Raidman sums it up: 'A CBOM is your migration roadmap. When quantum capable attackers will be on the horizon you cannot replace vulnerable ciphers, you do not even know you have.' SBOMs, HBOMs, and CBOMs will be crucial for risk management in our digital environment in the future. Even though the 'BOM' adoption cycle is still in its early phases, more transparency and accountability about hardware security, software security, and optimization will benefit both the public and private sectors.
