SBOM, anyone?

The ability for an organization to generate a complete bill-of-material during continuous integration is one of many maturity indicators. BOMs are increasingly required for various compliance, regulatory, legal, or economic reasons.

(Dependency Track, Best Practices)

Introduction

In May 2021 President of the USA Joe Biden has issued the Executive Order 14028 on “Improving the Nation’s Cybersecurity”. The document makes several demands on federal agencies concerning the implementation of Cybersecurity and identifies the security and integrity of the software supply chain as one vital claim. But, why would a German university library be interested in proposals made by the POTUS?

On December 16, 2021, the Bundesamt für Sicherheit in der Informationstechnik upgraded its assessment of the Log4Shell threat to the highest possible level. Although CVE-2021-44228 was already disclosed on December 10, the update of software systems took a huge amount of effort and time, also at the SUB Göttingen.

With a Software Bill of Materials, the identification of vulnerable components, the assessment of risks, and the application of upgrades and patches could have been accelerated substantially.

What is a Software Bill of Materials (SBOM)?

An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. These inventories should be comprehensive – or should explicitly state where they could not be. SBOMs may include open source or proprietary software and can be widely available or access-restricted.

(National Telecommunications and Information Administration, SBOM at a Glance)

Introduction of a Dependency Tracking Service

Forschung und Entwicklung now maintains an instance of Dependency Track for the use within the SUB. This service has not yet formally been announced but is in a production environment and ready for ingest of your data. The login is secured by the GWDG Academic Cloud SSO and requires the assignment of specific rights to access the portfolio.

Dependency Track is currently the only available FLOSS platform for maintaining an inventory of SBOMs and allows for a continuous assessment of security risks in the dependencies of software applications.

It can benefit people who produce, choose, or operate software and could be for a great use within the SUB if adopted throughout the departments who are in any way concerned with software.

Getting Started (for software developers)

1. Log in to the platform and contact an administrator to get the required permissions.
2. Start reading the Dependency Track Documentation on Usage.
3. Generate your first SBOM with one of the various tools and inspect it thoroughly.
4. Upload your SBOM to Dependency Track and get yourself familiar with the platform.
5. Gradually integrate SBOM generation and upload into the CI/CD workflow of all your software projects.

Prospects

Providing an inventory of software components and dependencies enables the organisation to

• create awareness of supply chain security risks,
• implement Software Composition Analysis,
• enforce policies on licenses and security,
• deliver supply chain artifacts to external stakeholders,
• build the ground for an OpenChain assessment and/or certification,

and a lot more.

Further Reads

• Steve Springett: Component Analysis
• CycloneDX Specification Overview
• Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
• Stephen Hendrick: Software Bill of Materials (SBOM) and Cybersecurity Readiness
• Software Bill of Materials