April 2, 2024

Software Bill of Materials (SBOMs) have been a hot ticket even before they were listed as a key initiative for secure software development practices in the National Cybersecurity Strategy of 2023. I started to track SBOMs progress when I heard a presentation by Alan Friedman, one of the early evangelists who was at NTIA at the time, now he is at CISA in the same role. I remember how it was difficult in the past to track the provenance of software and where certain components (especially open source) were included in different products. This bill of materials information comes in handy when you are tracking down vunerability and license information. There are and were four key SBOM standards (SWID, SPDX, CycloneDX, CPE) at the time, and NTIA was working to rationalize the SBOM standards to determine a minimum set for interoperability across the software life cycle. SBOMs are still evolving so my attention was increased a bit at a recent conference when I heard a presentation by Professor Jean Camp discuss some of the key issues that her research had uncovered on SBOMs. So please check out the interview below as Professor Camp outlines some of the key elements of SBOMs and how they are evolving.

Spotlight on Professor Jean Camp

» Title: Professor of Informatics & Computer Science. Center Director, Security & Privacy in Informatics, Computing, & Engineering at Indiana University (SPICE).

» Website: usablesecurity.net/ (Economics of Infosec & Privacy)

» LinkedIn: https://www.linkedin.com/in/ljean

Read her bio below.

Chris Daly, Active Cyber™: What is an SBOM and what benefits can it provide?

Professor Jean Camp, Indiana University: An SBOM is a software bill of materials that is composed of all the dependent code used in developing the final piece of software. It has been described as an “ingredient list” for connected systems. This transparency into the supply chain increases the security of the ecosystem. It allows users to more quickly identify third-party vulnerabilities that may exist and take the appropriate steps to manage them. Additionally, it helps users assess current risk profiles based on the makeup of the component software, which may influence the initial use of the software.

Active Cyber™: How do you identify and access an SBOM and analyze if a vulnerability is related to it?

Professor Camp: In the US, SBOMs are becoming mandatory in order to conduct business with some federal agencies. There are three primary SBOM standards (i.e., CycloneDX, SWID, and SPDX). Though the output according to each standard is still machine-readable code, having three SBOM standards makes identification of vulnerabilities a bit more difficult. There are complementary efforts to map SBOMs to risks, like the Vulnerability Exchange (VEX), and these will develop along with SBOM.

Active Cyber™: What do you believe are other essential elements beyond the Minimum Elements For a Software Bill of Materials (SBOM) pursuant to Executive Order 14028 as defined by NIST?

Professor Camp: NTIA released the minimum elements of an SBOM, with the understanding that these would be developed over time. Specifically, they mention additional data fields such as the hash of the component and lifecycle phase, other component relationships, license information, etc.

Active Cyber™: Won’t there be differences in SBOMs since the data about software components can be collected at different stages in the software lifecycle, including from the software source, at build time, or after build through a binary analysis tool? How is this handled by the SBOM standards and guidance?

Professor Camp: SBOMs are not static. They are updated to reflect the current components. So depending on the time a user accesses the information, there may be differences in SBOM versions.  One of the challenges going forward is ensure that the SBOM you are using in your decision-making is the correct version or instance.

Active Cyber™: What are some approaches for verifying SBOMs? How do these approaches differ based on the stage of the life cycle of the SBOM being verified?

Professor Camp: Manufacturer attestation will allow consumers to verify the legitimacy of the SBOM. When properly done it ensures the quality and the accuracy.

Active Cyber™: SBOM data is primarily static. That is, it reflects the properties of the specific built software at a point in time. Vulnerability data, meanwhile, is dynamic and evolves over time. Software that was not previously deemed vulnerable may “become” vulnerable as new bugs are discovered. How do you see the relationship between SBOMs and Vulnerability Management evolving?

Professor Camp: The current SBOM program is a start – it is far from the end goal. There definitely needs to be a more proactive approach to software security and SBOMs and vulnerability management plays a role in that. Having more dynamic and visually appealing SBOMs will make them more effective in understanding risks within the supply chain. Integrating with vulnerability feeds will enable automatic updates to SBOMs as new vulnerabilities are discovered, ensuring that users have up-to-date information to assess their risk exposure.

Active Cyber™: How do SBOMs align with modern web applications that are built using agile methods? Are SBOMs impractical in this case to use since modern web applications often have much faster release and update cycles, making direct provisioning and consumption of SBOM data less practical? How are SBOMs being generated for cloud applications where meaningful metadata about the full application stack and third-party services are difficult to ascertain?

Professor Camp: As technologies and development practices continue to develop, so will SBOMs. Needs and technologies may shift the need for certain information, but the underlying value an SBOM provides will still remain. The minimum elements were identified to achieve the goal within the EO. Cloud-based software is leading in SBOM usage with the containers community being ahead of others in building SBOMs.

Active Cyber™: What are some of the integrations with other cyber operations activities that should be considered when employing SBOMs, such as CTI (Cyber Threat Intelligence)? Are you seeing these integrations occurring already in the marketplace?

Professor Camp: As SBOMs become more common, they will play a larger role in cyber operations due to their comprehensive listing of components and dependencies. In addition to facilitating vulnerability assessments and audits, SBOMs offer valuable insights into the organization’s software ecosystem, enabling cybersecurity teams to conduct more specific risk analyses. SBOMs serve as a foundational resource for threat intelligence, allowing organizations to be proactive in threat hunting activities by identifying potential vulnerabilities and weaknesses within their software supply chain.

Active Cyber™: What are the elements of the SBOM ecosystem and how are they related [VEX, CSAF, CVSS, etc.]? How mature is the ecosystem? How are SBOMs being used in the procurement of software? Who are the early adopters?

Professor Camp: As the SBOM matures, so will the ecosystem and the integration into various other tools. Currently, they are still in their infancy. As more organizations become required to use SBOMs, there will be more incentive to make them more usable which will in turn make them more valuable. 

Active Cyber™: How can AI be employed to improve SBOMs?

Professor Camp: Currently SBOM formats are machine readable, and parsing the file is possible but not desirable. AI, as well as more traditional visualizers, can help mitigate this.  In addition, the structure of SBOM will allow for customized AI-driven risk analysis.

Professor Camp, thank you so much for this overview of SBOMs and how they are evolving in the market and some needs for improving standards. I believe it is an interesing area to keep an eye on as adoption grows. I am especially interested to see if China will adopt their own SBOM standards and how this may affect the IoT supply chain. Please keep me informed on your views as this area matures even more. 

And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Let us know if you are innovating in the cyber space or have a cybersecurity product you would like discussed on Active Cyber™. Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, AI/ML, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.

About Professor Jean Camp. L. Jean Camp is a Professor in the School of Informatics and Computer Science at Indiana University, in Informatics and Computer Science.  She is a Fellow of the American Association for the Advancement of Science, and has been inducted into the Sigma Xi honor society. She joined Indiana after eight years at Harvard’s Kennedy School where her courses were also listed in Harvard Law, Harvard Business, and the Engineering Systems Division of MIT.  She spent the year after earning her doctorate from Carnegie Mellon as a Senior Member of the Technical Staff at Sandia National Laboratories. She began her career as an engineer at Catawba Nuclear Station with a MSEE at University of North Carolina at Charlotte. Her research focuses on the intersection of human and technical trust, leveraging economic models and human-centered design to create safe, secure systems.  She is a founder of the economics of information security; and, at Indiana, the founding director of the Security & Privacy in Economics, Informatics, and Engineering (SPICE) Center. She is the author of two monographs. In addition, she has authored hundreds of shorter works, including over two hundred peer-reviewed publications.