List of ingredients: BSI establishes rules for securing the software supply chain
The Federal Office for Information Security (BSI) wants to support companies and public administration in better securing software supply chains and mitigating the effects of security debacles such as Log4j. The Bonn authority published a technical guideline (TR) on cyber resilience on Friday, in which it sets out formal and technical specifications for the Software Bill of Materials (SBOM) concept. This is a machine-readable document that contains an electronic parts list and its code dependencies.
A software inventory database
SBOM list the components of a software project as completely as possible. In addition to the direct source text, this includes internal and external references to open source packages used, for example. Since the latter in turn often depend on other projects, these must also be listed in the software bill of materials. The information in a software inventory database “can be presented in different widths and depths,” writes the BSI in the new TR-03183. They ranged from a rough structure to a fine-grained breakdown of products and components. There were also different formats for displaying and transmitting an SBOM, and the authors of the document provide information and instructions on how to use them.
According to the BSI, every software producer and provider should have an SBOM in order to be able to show the complexity of the programs used transparently. This is the only way to find out which components are used and how libraries are used. This knowledge is essential for management processes, such as the product life cycle and in particular for a continuous IT security process. It is considered best practice in a secure software supply chain.
In the case of Log4J, many administrators in smaller IT departments had to sift through every application on their own, and in corporations they had to compile tables in a hurry, in which those responsible for an application were supposed to enter whether the affected library was used in it. SBOM would have simplified the overview here.
Only with automation
Such a list of ingredients can be public or private “and distributed via different distribution channels”, according to the TR. Typically, a software developer uses one or more third-party components. He creates and administers the SBOM of his own programs, but at the same time takes on the “consumer role” of the lists of ingredients of the integrated components. The wealth of SBOM information and the possible structural differences meant a lot of effort for each creator, it goes on to say, “which can only be countered effectively with automation”.
A relevant directory can be used to check “whether a product is potentially affected by a vulnerability,” explains the BSI. However, there are no statements about security gaps and their exploitability. It is therefore important to include additional security information such as the CVE (Common Vulnerabilities and Exposures) from the component providers. In detail, the authority lists any necessary data fields for the SBOM itself in the TR, such as a URL along with the e-mail address of the creator and time stamp, as well as the information required for each component, its version and dependencies. There is also an overview of additional data fields that should also be specified if possible.
Compulsory SBOM at EU level already under way
Open source tools like Cilium already contain an SBOM. The version control platform GitHub introduced a function in March that allows those responsible to create such an overview for their project. Previously, GitHub owner Microsoft released its own open source tool, Salus, in July 2022, which produces an SBOM for development initiatives. Since April, Google has offered a similar function with a programming interface for querying the data from Open Source Insights. In parallel, the group made its Assured Open Source Software service generally available free of charge on an SBOM basis.
The EU Commission’s draft for a Cyber Resilience Act contains an obligation to prepare an SBOM, the BSI refers to a currently ongoing legislative process. Products with digital elements for which vulnerability management becomes mandatory are recorded. In the United States, US President Joe Biden’s May 2021 Cybersecurity Order 14028 requires government agencies to maintain a bill of materials. Similar rules have applied to medical devices in the USA since March. Last year, the EU Council also focused on the security of IT supply chains.
Go to home page
#List #ingredients #BSI #establishes #rules #securing #software #supply #chain