Why SBOMs alone aren’t enough for software supply chain security

It seems like just yesterday that the mad scramble following the SolarWinds compromise elevated supply chain security to the forefront of every entity, regardless of sector. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), formed the Information and communications technology (ICT) Supply Chain Risk Management task force in an effort to unite public and private entities with the goal of developing an actionable strategy to enhance supply chain security.

From the CISO perspective, a recent industry report from Coalfire on Software Supply Chain Risk hit the nail on the head: “Managing risk within software supply chains and product development lifecycles has become as important as protecting traditional, physical inventories and equipment supply lines.” Their survey, conducted with CyberRisk Alliance, highlighted how 52% of managers are concerned about software exposed to attack.

The CISA issued guidance on defending against software supply chain attacks and included recommendations for organizations and software vendors to minimize their risks. It touched on six vectors:

1. Design
2. Development and production
3. Distribution
4. Acquisition and deployment
5. Maintenance
6. Disposal – IT asset disposition (ITAD)

SBOMs alone “woefully incomplete” for software-producing companies

Reaching out to Dan Cornell, vice president, product strategy at Coalfire we learn, not surprisingly, that one size does not fit all and that different organizations will evaluate and understand their risk in different ways. He explains how traditional security management included service level agreements, measurable outcomes, etc. For software-producing organizations, the use of a software bill of materials (SBOM) and calling it a day is the minimalist approach and woefully incomplete.

“Real visibility into the supply chain isn’t provided by a SBOM,” Cornell says. “I would like to see forced transparency to take place going beyond the SBOM but don’t know if the industry has the appetite.”

Lack of risk visibility slowing software purchases

He concludes by saying the buyer has the power prior to the signing of the contract to demand the visibility necessary for the buyer to determine the risk exposure being provided by a vendor’s product. Not surprisingly, as more buyers demand answers to “risk-based questions” as part of the deal flow, there is a decided slowing of the purchase process. The need to address the risk is being assumed by customers, and constipation in deal flow is the end result.

Cornell is right. CISOs must be asking risk-based questions and not simply nice-to-know questions that allow for pithy and obtuse answers. If the vendor/provider can’t answer to your satisfaction, move on and find a competitor who is willing and able to do so.  

For a separate point of view, I reached out to Tim Mackey, principal security strategist at Synopsys, who also noted that the reliance on the SBOM is minimal table stakes and certainly not the panacea many think it may be. “Not all SBOMs are created equally,” says Mackey. He notes how the inexperience of coders carries its own set of risks, and the hard coding of credentials or other secrets into code may have been the right thing for a specific instance, but often that decision is abstracted away and the why and parameters around the instance fade once the code is squished/compiled. A code review might not be the solution as the code may run, but are the configurations that are being exercised by the hard code being simulated?

A recommendation carried by Lackey and by Apiiro Vice President Security Research Moshe Zioni, whom I spoke with at Black Hat 2022, is the use of “vaults” for the storage of credentials and other secrets that provide a shorter live window of opportunity of compromise and allow access “to only this process, with only these circumstances and for only this limited period of time.”

CISOs no doubt are observing that creating an ecosystem where access is prescribed and limited to the extreme is a heavier lift and thus will have to fight the urge of embracing convenience at the price of creating a more secure supply chain.

Additionally, CISOs must be prepared to support the business operations and socialize the need to include in the negotiations the key components of supply chain risk management (SCRM) visibility with every vendor. The power to resist the urge to close the deal and get on to business may be a high hurdle, but one which must be cleared if supply chain security is to be adequately addressed.