As I mentioned in Friday’s post, Reuters carried an article on Thursday that said there would soon be a new Executive Order regarding software security, and that it would include a requirement for software bills of materials. Of course, given how much I’ve advocated for SBOMs since last summer, it would be hypocritical of me to say that I don’t welcome the idea that there might be a mandate driving their production and use. Since I’m sure SBOMs will come sooner or later – they have to – I don’t mind the government putting their weight behind them, to speed up that process.
But here’s the problem: It would be
an unmitigated disaster, were the feds (and I’m not sure who would enforce this
order. DHS, and CISA specifically?) to simply mandate that certain software suppliers to the federal government start
delivering SBOMs for all of their software products within say the next six
months to one year. This is because there are still far too many unanswered
questions about SBOMs, for this to be even remotely possible.
Here are two questions that have
been answered (there are many others that have been answered as well):
Q: SBOMs need to be machine-readable, given the huge volume
of components that software end users might want to track for vulnerabilities. For
example, the average software product contains
over 100 components (and some contain thousands). If an organization uses 200
different products and they get SBOMs for all of them, that means they should
track 20,000 components. Can SBOMs be made machine readable?
A: This problem is solved. There are currently three
generally accepted formats, all of which are machine-readable: SPDX, CycloneDX
and SWID; it is likely that more will appear in the future.
Q: Speaking of SBOM formats, which is the best one?
A: Each of the three formats provides what the National
Technology and Information Administration (NTIA)
has defined as the minimal fields required in an SBOM. Beyond that, each format
provides capabilities that are important to some suppliers and users but not
others. The NTIA Software Transparency Initiative members have decided that
there is no need to choose one format over the others – given that tools are
already available to translate among formats.
But here are some questions that
haven’t been answered yet and are unlikely to be definitively resolved in the next
year. I wrote about two of the biggest last fall: the “naming
problem” and the “problem” caused by the fact that the majority of
vulnerabilities in components aren’t in fact exploitable in the end products
that include those components, which I discussed in this
post.
There are also some questions that
can only be answered through experience – that is, through actual production
and use of SBOMs. This is what the industry Proofs of Concept are doing. The
healthcare industry has been conducting PoCs for SBOMs since 2018, and PoCs for
electric power and autos will start in the near future. There will be other
PoCs as well, as momentum picks up.
Answers to all of these questions
are emerging from the PoCs, but trying to rush answers now would inevitably require
finger-in-the-air-type guesses, rather than answers based on experience, which
is what the PoCs are providing. These questions include:
1.
How often should SBOMs
be re-issued?
2.
How can SBOMs be
provided to end users in a way that doesn’t overwhelm them with seemingly
random documents?
3.
What kinds of “intermediary”
services would be required, to make SBOMs issued in one of the three current
formats usable for vulnerability management purposes in the near future? This
may be one way of “jump starting” successful use of SBOMs, vs. having to wait
for the current vendors of vulnerability management products to modify their
products to ingest SBOMs directly.
4.
What about other
potential uses of SBOMs, like for license management? The fields for this are
already in the SBOM formats, but in most cases they’re not being used now. There are
certainly other uses for SBOMs as well. Facilitating these use cases doesn’t
require technical changes, but it does require agreement on procedures.
5.
How can access to the
data in an SBOM be protected, so that only the organizations (usually
customers) that the supplier wants to have access in fact do so?
There are many more of these
questions, of course. My point is that it would be a big mistake for the feds
to mandate that SBOMs be produced and used until these questions are much closer
to being answered than they are now.
Fortunately, one federal agency
has already faced these issues and pointed out the best way to address them,
while at the same time making a firm statement that SBOMs will be mandatory.
The FDA in 2018 was concerned about securing the software in medical devices
used in hospitals (e.g. infusion pumps) and stated that they would require
SBOMs for those devices in the future. However, they didn’t set a date for
this, or provide any specifics about what they would mandate.
The FDA did this because they knew
full well that trying to issue specific regulations for SBOMs at that time
would have led to nothing but confusion and bad feelings. Instead, they
supported the NTIA Software Transparency Initiative as the best road to resolving
all of these questions. They have still not set a date for regulation and they
continue to support the initiative, including the healthcare Proof of Concept.
This approach turned out to be
very successful. The healthcare industry – both the hospitals and the medical
device makers – realized they had to cooperate to make SBOMs a reality, rather
than just a vague aspiration. That is what the NTIA Software Transparency Initiative
is doing, and especially the healthcare PoC. Other industries, including
energy, can help advance this effort by starting their own PoCs.
If SBOMs are included in the EO, I
think the best approach is to follow the FDA model: State that SBOMs will be
required in the future (or perhaps even set a date to begin rulemaking, say 2-3
years from now). This puts all the
pressure needed on industry to resolve these and other questions, so that in a
few years it will make a lot of sense to talk about some regulation of SBOMs (if
it’s still needed. Perhaps SBOMs will be in such wide use already, that there
will be no need to mandate anything more than that).
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment