Almost on the last day of 2021, I
wrote a post
in which I stated my newfound belief (after a “road to Damascus” experience,
although unlike St. Paul I didn’t hear the voice of God speaking to me) that suppliers
should be responsible for performing the analysis of SBOMs and VEX documents, in
order to produce a continually-updated (at least daily) list of exploitable
component vulnerabilities in a particular product/version. Even though
suppliers may choose to work with third-party service providers to perform this
service (since the service providers can amortize the cost of their services
across a large user base), it should be their responsibility, and they should
pay for the service provider.
I’ve repeated that belief at various
times since then, but I’ll admit that I’ve often forgotten about it, and spoken
as if this analysis is really the responsibility of software end users. While
that may be true in the short run, I anticipate that in maybe 5-10 years, the party
universally believed to be responsible for analysis of SBOMs will be the supplier.
While there are several compelling reasons why suppliers should bear this responsibility, here’s the most compelling:
In order for end users to be able to make use of SBOM and
VEX data to manage component vulnerabilities in the software products they
utilize, somebody's tool needs to ingest an SBOM, look up component vulnerabilities in
the NVD or another vulnerability database, and ingest VEX information to learn
how the supplier views the status of each of those component vulnerabilities. It
makes no sense to force thousands, tens of thousands or even millions of
customers to perform exactly the same set of steps that the supplier could
perform on their own, and just distribute the results to their customers.
For example, suppose a software product has 10,000 users,
all of whom are concerned about managing vulnerabilities due to components in
the product. Let’s say there are low cost, easy-to-use, commercially supported
tools available that will perform the required analysis, so the cost of tooling
is not an important factor here (hey, a guy can fantasize, can’t he?). And assume
the users have all been utilizing these tools for a long time, so they don’t
need to “learn on the job” while performing this analysis.
Now, let’s suppose that performing the required analysis
across the useful life of the software requires five hours of time for a single
version of the product. If all 10,000 users do this, the total cost to them
will be 50,000 hours. Ideally, if they all work with the same information from
the supplier (i.e. both the SBOM and the VEX documents), they will all end up
with exactly the same results for this product: a list of exploitable component
vulnerabilities in the product and version, which is updated daily to reflect
new vulnerabilities found in a major vulnerability database and new VEX
documents received from the supplier.
Now, let’s suppose the supplier performs this same analysis
themselves, using the same tool as their customers do (in fact, in the author’s
opinion, the supplier would be negligent if they weren’t performing this
analysis themselves, at least daily and perhaps more often). They will also spend
five hours on this and achieve the same results as each of their 10,000 customers.
Here’s the hard question: Which is more, 50,000 hours or
five hours? You’re correct! 50,000 hours is more than five hours.
Now, here is the even harder question: How could it ever
make sense for a supplier to require each of its customers to perform an analysis
that the supplier could perform just as cheaply on its own, while simply
distributing the results to their customers (probably in a customer portal, so
they don’t have to push any documents out)?
And here’s the answer to that even harder question: It probably
never makes sense for a supplier not to do this analysis themselves and make
the results available to their customers. So why is everybody in the (expired) NTIA
and CISA SBOM initiatives talking as if the supplier’s only responsibility is to
toss the SBOM over the wall to their customer and let the customer figure out
what to do from there?
Beats me.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment