What Is An Sbom? The Importance Of A Software Bill Of Materials – Security Boulevard

What Is an SBOM? The Importance of a Software Bill of Materials – Security Boulevard

The Home of the Security Bloggers Network
Home » Cybersecurity » Threats & Breaches » Vulnerabilities » What Is an SBOM? The Importance of a Software Bill of Materials
Cyber attacks like Log4Shell have led the Biden administration to work closely with security experts, as well as the Cybersecurity and Infrastructure Security Agency (CISA) to produce government resources and legislation intended to improve the United States’ security posture.

On August 17, the US House of Representatives passed H.R. 7900 – National Defense Authorization Act for Fiscal Year 2023, and section 6722 states that all organizations seeking to conduct business with the Department of Defense (DoD) or the Department of Energy (DoE) are now required to provide a Software Bill of Materials (SBOM) for every new and existing software contract.
A Software Bill of Materials (SBOM) is technical documentation that lists the various components used in a specific piece of software. Very similar to a list of ingredients, a SBOM includes third-party libraries, Open Source Software, and commercial libraries used by the software.
Although the concept may seem simple, organizations are often not aware of every component contained in deployed software, and this creates serious security concerns—since one vulnerable component can introduce an opening for threat actors to exploit. Situations like these have been observed in recent supply chain attacks, but the full force of this was felt when Log4Shell was discovered. Hundreds of vendors were caught off-guard since many vendors were unsure if their own products contained vulnerable versions of the widely-used log4j library. Months after the initial disclosure, vendors were still publishing advisories and fixes for their own software.
Organizations will be facing incredible pressure from their own leadership, as well as the federal government to produce and maintain SBOMs. In order to assist organizations, Flashpoint’s VulnDB® offering integrates with SBOM standards like CycloneDX. Designed by Steve Springett, Senior Architect at ServiceNow in 2017, it was developed for use with the open source OWASP Dependency-Track Project.
Early last year, Steve spoke with Jake Kouns, General Manager at Risk Based Security to define SAST, DAST, IAST, SCA, and SBOM—in addition to the PURL standard. Check out the video below to learn more about SBOMs, and how CycloneDX generates them (timestamps included):
While having the ability to create SBOMs is important, being able to identify and remediate vulnerabilities affecting listed items is equally as vital. However, organizations may discover that triaging and remediating vulnerabilities affecting listed items, especially components involving third-party libraries and open source software could prove difficult.
Chances are that once a bill of materials is generated, security teams will have to conduct lengthy research triaging discovered components. However, even after hours of research, teams may have little to no results if relying on CVE / NVD. This is due to the fact that CVE / NVD lacks significant coverage of vulnerabilities affecting third-party libraries, open source software, and legacy software. And for the vulnerabilities that they do capture, they often lack actionable details needed for remediation.
Therefore, to maintain a quality SBOM, organizations need comprehensive and detailed vulnerability intelligence. Using VulnDB®, security teams have access to over 297,000 vulnerabilities, including over 94,000 missed by CVE / NVD.
Each vulnerability entry found in VulnDB® has actionable metadata and all known details. VulnDB® captures the following and more:
Organizations that are able to provide quality SBOMs to their supply chain, as well as regulatory agencies will be able to demonstrate a strong security posture. Using VulnDB®, organizations can discover critical vulnerabilities affecting listed items in their bill of materials—and use Flashpoint data to address them in a timely manner. Sign up for a free VulnDB® trial to take advantage of quality vulnerability intelligence, as well as its integration with CycloneDX.
Do you have certain third party libraries or OSS components that you need researched? Contact us to add specific coverage to your vulnerability intelligence needs.
Contact Sales
The post What Is an SBOM? The Importance of a Software Bill of Materials appeared first on Flashpoint.
*** This is a Security Bloggers Network syndicated blog from Threat Intelligence Blog | Flashpoint authored by Curtis Kang. Read the original post at: https://flashpoint.io/blog/what-is-an-sbom-the-importance-of-a-software-bill-of-materials/
More Webinars
Security Boulevard Logo White
Blog Ad 770X330 1 2

Step 1 of 6

Have security concerns slowed or prevented your use of Kubernetes?

Step 1 of 6


Leave a Comment

Leave a Reply

Your email address will not be published.

What's 'new' in healthcare cybersecurity, according to chief information security officers – Becker's Hospital Review

Cyber Security Today, Sept. 5, 2022 – An alert to energy companies, a warning to Linux administrators and more – IT World Canada

The 11 most-prevalent malware strains of 2021 fuel cybercrime – Cybersecurity Dive

Florida Gov. DeSantis Issues Executive Order to Strengthen State Cybersecurity Against Foreign Adversaries – Lexology