During the weekly meeting of the OWASP SBOM Forum this week, I had a discussion (although not quite an argument) with two well known people in the world of software supply chain security. We were discussing obstacles that are preventing regular distribution of SBOMs and VEX documents to software users. One of them brought up the fact that lawyers at software developers and intelligent device manufacturers are often resolutely opposed to distributing those documents, for fear of a customer suing the company because of a mistake or omission.
I pointed out that there’s nothing
illegal about making a misstatement – or even an outright lie – on an SBOM, but
we all agreed this wouldn’t stop someone who was determined to sue. This is
especially true if they’re sure they can prove they have been damaged in some
way.
I then remembered that I wrote a post last year about my realization that it will be at least a
year (and now I’d say 2-3 years) before best practices regarding SBOM and VEX are
clear enough that real contract language regarding them will even be possible.
The only contractual term that should even be considered now is one stating
that the supplier will provide SBOMs and VEX documents on an experimental basis.
For their part, the customer needs to agree with this statement and promise
they won’t base operational decisions on the contents of the documents.
In fact, I don’t think most suppliers
will even start regularly distributing SBOMs and VEXes (i.e., not just
providing a single SBOM) unless they have contractual provisions like this in
place with their customers.
But at least one of my friends
said that lawyers, at least those that work for publicly-traded commercial
software and intelligent device suppliers, won’t even be satisfied with contractual
provisions like this; they simply won’t let their companies distribute SBOMs or
VEXes – not no way, not no how. At that point, I wondered why we were all
spending so much time discussing SBOMs, if they’ll never be made available to
end users (or to third party service providers that “process” the SBOMs and
VEXes on behalf of the end users, while providing the users with up-to-date
information about the exploitability status of component vulnerabilities in one
or more product/versions they utilize. This idea, along with the idea of a
proof of concept that the OWASP SBOM Forum hopes to initiate later this year or
perhaps early in 2025, is discussed in Part 3 of my book, “Introduction to SBOM
and VEX”).
It is indisputable that, because
of this problem, some software companies (especially the large public companies)
will be unable to distribute SBOMs and VEXes for their products for years; in
fact, there are still a lot of companies – and especially intelligent
device manufacturers – that have literally never
reported a vulnerability for their products. Obviously, if they won’t even
report vulnerabilities today, SBOM and VEX are out of the question.
However, it’s also indisputable
that some companies will see the opportunity to demonstrate to their customers
that they want to be transparent about the status of vulnerabilities in their
products, whether due to code the supplier wrote or to code contained in third
party components (this includes at least a few of the largest software and
intelligent device suppliers). This will be especially true if they have customer
contract provisions in place like the one I just described. The SBOM Forum
believes that, once code is available to produce and parse “tight” VEX
specifications for both the CSAF and CycloneDX VEX platforms – and Anthony
Harrison of our group already has preliminary code for CSAF – it will be
possible for one or more service providers to perform the SBOM and VEX
“processing” service described above (and in Part 3 of my book).
We hope to demonstrate that this
is indeed possible in a proof of concept this year or next. Assuming that is
successful, we hope that both SBOMs and VEXes will be “launched” in the real
world, even though only a small number of suppliers are providing them
regularly. As other suppliers see that it’s possible to do this, and as they
put the required contractual protections in place, we expect that number to
grow – at first slowly and then rapidly. If you’re interested in participating
in this effort, let me know.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment