Saturday, March 9, 2024

Will the lawyers squash SBOMs?

During the weekly meeting of the OWASP SBOM Forum this week, I had a discussion (although not quite an argument) with two well known people in the world of software supply chain security. We were discussing obstacles that are preventing regular distribution of SBOMs and VEX documents to software users. One of them brought up the fact that lawyers at software developers and intelligent device manufacturers are often resolutely opposed to distributing those documents, for fear of a customer suing the company because of a mistake or omission.

I pointed out that there’s nothing illegal about making a misstatement – or even an outright lie – on an SBOM, but we all agreed this wouldn’t stop someone who was determined to sue. This is especially true if they’re sure they can prove they have been damaged in some way.

I then remembered that I wrote a post last year about my realization that it will be at least a year (and now I’d say 2-3 years) before best practices regarding SBOM and VEX are clear enough that real contract language regarding them will even be possible. The only contractual term that should even be considered now is one stating that the supplier will provide SBOMs and VEX documents on an experimental basis. For their part, the customer needs to agree with this statement and promise they won’t base operational decisions on the contents of the documents.

In fact, I don’t think most suppliers will even start regularly distributing SBOMs and VEXes (i.e., not just providing a single SBOM) unless they have contractual provisions like this in place with their customers.

But at least one of my friends said that lawyers, at least those that work for publicly-traded commercial software and intelligent device suppliers, won’t even be satisfied with contractual provisions like this; they simply won’t let their companies distribute SBOMs or VEXes – not no way, not no how. At that point, I wondered why we were all spending so much time discussing SBOMs, if they’ll never be made available to end users (or to third party service providers that “process” the SBOMs and VEXes on behalf of the end users, while providing the users with up-to-date information about the exploitability status of component vulnerabilities in one or more product/versions they utilize. This idea, along with the idea of a proof of concept that the OWASP SBOM Forum hopes to initiate later this year or perhaps early in 2025, is discussed in Part 3 of my book, “Introduction to SBOM and VEX”).

It is indisputable that, because of this problem, some software companies (especially the large public companies) will be unable to distribute SBOMs and VEXes for their products for years; in fact, there are still a lot of companies – and especially intelligent device manufacturers – that have literally never reported a vulnerability for their products. Obviously, if they won’t even report vulnerabilities today, SBOM and VEX are out of the question.

However, it’s also indisputable that some companies will see the opportunity to demonstrate to their customers that they want to be transparent about the status of vulnerabilities in their products, whether due to code the supplier wrote or to code contained in third party components (this includes at least a few of the largest software and intelligent device suppliers). This will be especially true if they have customer contract provisions in place like the one I just described. The SBOM Forum believes that, once code is available to produce and parse “tight” VEX specifications for both the CSAF and CycloneDX VEX platforms – and Anthony Harrison of our group already has preliminary code for CSAF – it will be possible for one or more service providers to perform the SBOM and VEX “processing” service described above (and in Part 3 of my book).

We hope to demonstrate that this is indeed possible in a proof of concept this year or next. Assuming that is successful, we hope that both SBOMs and VEXes will be “launched” in the real world, even though only a small number of suppliers are providing them regularly. As other suppliers see that it’s possible to do this, and as they put the required contractual protections in place, we expect that number to grow – at first slowly and then rapidly. If you’re interested in participating in this effort, let me know.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

My book "Introduction to SBOM and VEX" is now available in paperback and Kindle versions! For background on the book and the link to order it, see this post.

No comments:

Post a Comment