
In July 2021, a ransomware group, R-Evil, attacked a Managed Service Provider, Kaseya. R-Evil hit Ksaeya’s remote monitoring platform. More than 1,000 Kaseya’s customers used the platform. Each of these customers provides services to many other large businesses. By noon, US Eastern time, R-Evil claimed that one million systems were down because of their ransomware attack! The ransom of $1 million at 8 am was raised to $70 million US dollars by noon! This is all because of one vulnerability in the remote monitoring software that attackers could exploit successfully. Like traditional supply chains, software supply chains can also create a domino effect and disrupt businesses and society.
The software supply chain comprises source code, third party and open source libraries, other software components, tools, etc., needed to build and release the software. If any of the dependencies fails, the functionality of the software or application is impacted. Disrupting the software supply chain is not only impacting the software and technology companies but can affect almost all businesses, government, and society. That is why securing the software supply chain is the most important priority. `
The US government issued an executive order to secure information and infrastructure. Executive Order (EO) 14028, Improving the Nation’s Cybersecurity (May 12, 2021),1 focuses on the security and integrity of the software supply chain and emphasizes the importance of secure software development environments. The EO directs the Department of Commerce, in coordination with the National Telecommunications and Information Administration (NTIA), to publish the “minimum elements” for a Software Bill of Materials (SBoM).
The term Bill of Material (BoM) originates from the manufacturing industry. The BoM is a list of raw materials included in manufacturing a product. In its simplest form, the Software Bill of Material or SBoM is defined as a list of third party or open sourced components used in the software. In other words, SBoM is a snapshot of the software supply chain. To maximize the benefits and optimize the SBoM creation process, the SBoM should be integrated with the Secure Software Development Lifecycle.
The SBoM usually includes the following information:
Currently, there are three SBoM formats are in use. Please click on the names below to find out more about each format:
Some of the critical benefits of SBoM to software vendors & customers are:
The software vendor or supplier has one more crucial benefit — Transparency. By sharing the SBoM, the software supplier can prove that they have processes to manage vulnerabilities, apply patches, and adhere to compliance.
The benefits of SBoM are far more to customers with the onPrem deployment. This is because, in the case of onprem deployments, customers are on the hook for applying certain patches and managing the environment. Knowing what is in the software keeps them looking for new vulnerabilities or versions of any dependent software.
However, in the case of cloud customers, especially SaaS customers, these benefits are not as lucrative since SaaS consumer does not have to manage vulnerabilities, apply patches, or upgrade to the new version.
The SaaS vendors can use SBoM for transparency and to vouch for the quality and security of the software. By sharing the SBoM, the software vendor assures the customers of the products and processes' authenticity, integrity, and reliability. Apart from the software vendor’s SBoM, SaaS customers can also obtain SOC 2 and other third party audit/compliance reports to verify the quality and security of the software,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
4 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |