Back on the road to Damascus

 

Almost on the last day of 2021, I wrote a post in which I stated my newfound belief (after a “road to Damascus” experience, although unlike St. Paul I didn’t hear the voice of God speaking to me) that suppliers should be responsible for performing the analysis of SBOMs and VEX documents, in order to produce a continually-updated (at least daily) list of exploitable component vulnerabilities in a particular product/version. Even though suppliers may choose to work with third-party service providers to perform this service (since the service providers can amortize the cost of their services across a large user base), it should be their responsibility, and they should pay for the service provider.

I’ve repeated that belief at various times since then, but I’ll admit that I’ve often forgotten about it, and spoken as if this analysis is really the responsibility of software end users. While that may be true in the short run, I anticipate that in maybe 5-10 years, the party universally believed to be responsible for analysis of SBOMs will be the supplier.

While there are several compelling reasons why suppliers should bear this responsibility, here’s the most compelling: 

In order for end users to be able to make use of SBOM and VEX data to manage component vulnerabilities in the software products they utilize, somebody's tool needs to ingest an SBOM, look up component vulnerabilities in the NVD or another vulnerability database, and ingest VEX information to learn how the supplier views the status of each of those component vulnerabilities. It makes no sense to force thousands, tens of thousands or even millions of customers to perform exactly the same set of steps that the supplier could perform on their own, and just distribute the results to their customers.

For example, suppose a software product has 10,000 users, all of whom are concerned about managing vulnerabilities due to components in the product. Let’s say there are low cost, easy-to-use, commercially supported tools available that will perform the required analysis, so the cost of tooling is not an important factor here (hey, a guy can fantasize, can’t he?). And assume the users have all been utilizing these tools for a long time, so they don’t need to “learn on the job” while performing this analysis.

Now, let’s suppose that performing the required analysis across the useful life of the software requires five hours of time for a single version of the product. If all 10,000 users do this, the total cost to them will be 50,000 hours. Ideally, if they all work with the same information from the supplier (i.e. both the SBOM and the VEX documents), they will all end up with exactly the same results for this product: a list of exploitable component vulnerabilities in the product and version, which is updated daily to reflect new vulnerabilities found in a major vulnerability database and new VEX documents received from the supplier.

Now, let’s suppose the supplier performs this same analysis themselves, using the same tool as their customers do (in fact, in the author’s opinion, the supplier would be negligent if they weren’t performing this analysis themselves, at least daily and perhaps more often). They will also spend five hours on this and achieve the same results as each of their 10,000 customers.

Here’s the hard question: Which is more, 50,000 hours or five hours? You’re correct! 50,000 hours is more than five hours.

Now, here is the even harder question: How could it ever make sense for a supplier to require each of its customers to perform an analysis that the supplier could perform just as cheaply on its own, while simply distributing the results to their customers (probably in a customer portal, so they don’t have to push any documents out)?

And here’s the answer to that even harder question: It probably never makes sense for a supplier not to do this analysis themselves and make the results available to their customers. So why is everybody in the (expired) NTIA and CISA SBOM initiatives talking as if the supplier’s only responsibility is to toss the SBOM over the wall to their customer and let the customer figure out what to do from there?

Beats me.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.