A recent article on Forbes, linked below, lists five security trends that are likely to be important in 2024. Of course, AI-related security topics top the list. But let us look closer at another topic, the use of Software Bills of Materials (SBOMs) for improving security.
Supply chains are as applicable to software development as they are to the retail and manufacturing industries. Software products are often composed of multitudes of software libraries and other components. In open-source software development, it is typical for programs to make use of other open-source libraries even for small bits of functionality, both to save development time and effort, and to avoid duplication of the work that could be provided by others. The responsibility of developing the code for specific functionality becomes shifted to third parties who hopefully have expertise in their domain. This code, by virtue of being open-source, will perhaps be used by many other developers who will find and fix or report any bugs or issues they may encounter, thus (hopefully) improving the quality of these libraries.
When a program uses, let’s say, 10 libraries, with each in turn using another 10 additional libraries, there could be hundreds or even thousands of third-party libraries that end up being used by this program. Development and software build tools are designed to track library dependencies and pull in any required component during the build process. The program and all these components together form the Software Bill of Materials (SBOM). The origins of the elements of the SBOM and how they are pulled together is the software supply chain of the program. It can be difficult to ascertain that every single component of a program, which may come from any perhaps unknown third-party, is secure. But there are tools to help track software origins, versions, known vulnerabilities, required patches, and so on, of the elements of SBOMs that provide some level of assurance about the integrity of the software supply chain.
And there are also rules and regulations that give impetus to making sure that the software supply chain is secure. A good example is President Biden’s executive order 14028, which requires federal agencies to enhance the integrity of their software supply chains. Software vendors of the federal government receive more scrutiny of their software supply chains and must provide SBOMs.
A key element for enhancing the integrity of the software supply chain should be the adoption of a governance program that sets processes, rules, and feedback mechanisms for the software supply chain.
