Why your organization needs a software bill of materials

Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Recent Log4j vulnerabilities have exposed systemic problems in how businesses and most communities audit their software.

Early indications are that Log4j vulnerability was exploited and exploited News about her existence broke just days before, Organizations needed to take immediate action to find all instances of vulnerabilities in linked libraries, but most did not have a clear idea of ​​where such instances existed in their system. Google’s own research shows that more than 8% of all packages on Maven Central have a sensitive version of Log4j in their dependencies, but only a fifth of that group has revealed it directly. This means that approximately 28,000 packages on Maven Central have been affected by these bugs while never using Declaration or Log4j directly.

Finding all the instances of sensitive dependency and confirming patch layers can be a daunting task, even for software that you fully control and develop at home. It can be more difficult to identify your sellers. Often, these vendors have a vague idea about their own reliance.

Like any other IT asset, such as a server, laptop, or installed application, your software and dependencies (both direct and infectious) must have a certain inventory, and arguably the most basic, security control you can apply. Businesses can’t secure what they don’t know. How do companies begin to handle the growing complexity of dependency? By auditing and automating dependency graphs, starting with direct dependency and extending to transitive, often referred to as software bill of materials (SBOM).

Despite the subtleties in the discussion of what SBOM should and should not be for the purposes of this article, we will informally refer to SBOM as a manifest of all components and libraries packed with the application along with their license. This includes tools and linked libraries. If you are distributing Docker Image, it should also include a list of all installed packages.

Getting serious about your software supply chain

Unfortunately, the ecosystem for creating these dependency maps often suffers from a lack of adequate tooling. While the tools available to analyze dependencies for vulnerabilities are rapidly evolving and improving, the domain is still in its infancy. Snyk, Anchore and other tools provide wonderful visibility depending on your application, but some languages ​​provide basic tooling for creating comprehensive visual maps. For example, let’s look at the old language (Java) and the new language (Go) which have gained the time and experience to develop a modern package ecosystem.

In Java, developers can use tools like jdeps (introduced in JDK 8) or Maven Dependency Analyzer, while Golang, despite its sophistication, struggled from the beginning to create its own dependency management story and instead Dep (disliked and Stored). Fill in the blanks before finally settling on its own module system. In both cases, calculating direct dependencies is usually easy, but generating a complete and comprehensive list of direct and transitional dependencies can be challenging to generate without additional tooling.

For those who maintain open source, Google has launched a very useful project called Open Source Insights for auditing projects hosted on NPM, PyPI, or Github, or similar locations. Significant work and research is already being done in this area, but it is clear that more needs to be done.

While it is crucial that applications be audited for their dependencies and vulnerabilities, this is just the beginning of the story. Just as an asset inventory or a vulnerability report can tell you if it exists, SBOM is just a manifestation of packages and dependencies. These dependencies should be audited for their respective health which vulnerabilities can be flagged. Dependency, for example, does not qualify to report to the National Institute of Standards and Technology (NIST) and cannot assign a Common Vulnerability Exposure (CVE) for any reason, whether it is an abandonment problem or a complete internal product. Which is relatively inadvisable. Other unexplained reasons include ownership or maintenance of a library that is transferred to a bad actor, bad actors intentionally modifying the release, old and weak packages in the Docker container running the app, and / or hosts running the old kernel with known, complex. Included. CVE.

Safety leaders at the organization are responsible for in-depth study and thinking about software supply chain issues that could affect their products or business, and this all begins with compiling an accurate list of dependencies in SBOM.

Generating SBOM

Generating SBOM can be a technical challenge in its own right, but remember that organizations are made up of people and processes. It is important to understand and promote the need for such work to get a buy-in. As mentioned above, security leaders in organizations should start by creating an inventory of all their in-house software, containers, and third-party vendor packages or applications. Once the first level of inventory is completed, the next step is to determine the direct dependency and finally the transition dependence. This process must be similar to any other search process such as event logging or asset inventory.

When promoting SBOM in your organization, consider the following benefits:

  1. A complete, up-to-date and accurate inventory of your software dependencies dramatically reduces the time to remedy when vulnerabilities are discovered in packages such as Log4j.

  2. The manifest generated during the CI / CD process also provides instant feedback on new dependencies and can prevent new, weak components from being incorporated into your software by applying policies at build time.

  3. It is often said that what is measured improves. Keeping track of your dependencies promotes hygiene by eliminating unnecessary dependence and removing old ones.

  4. It promotes uniformity in software versioning, saving both time and money for engineering and security teams.

  5. According to the White House, this will soon become a requirement for many organizations.

As the complexity of our software stacks continues to grow and become increasingly attractive and capable targets for supply chain attackers, technologies and tools such as dependency management and SBOM should become an essential part of our overall security strategy. And security leaders are responsible for delivering these benefits of these tools to their organizations.

Brian Briggs is the director of DevOps and cybersecurity at Hypergiant.


VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:

  • Up-to-date information on topics of interest to you
  • Our newsletters
  • Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
  • Networking features and more

Become a member

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *