{"id":263788,"date":"2021-06-01T15:00:18","date_gmt":"2021-06-01T12:00:18","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/"},"modified":"2021-06-01T15:00:18","modified_gmt":"2021-06-01T12:00:18","slug":"what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/","title":{"rendered":"#What Are SBOMs and What Do They Mean to Open-Source Software? \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3cd93011b20\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3cd93011b20\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/#The_Threats_Are_Real\" >The Threats Are Real<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/#Responding_to_the_Threats\" >Responding to the Threats<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/#Open-Source_as_a_Consumable\" >Open-Source as a Consumable<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/#The_Software_Bill_of_Materials\" >The Software Bill of Materials<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/#Automation_Can_Help\" >Automation Can Help<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/what-are-sboms-and-what-do-they-mean-to-open-source-software-cloudsavvy-it\/#Security_Starts_with_Knowledge\" >Security Starts with Knowledge<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#What Are SBOMs and What Do They Mean to Open-Source Software? \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-11677\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/8559d0c7.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"ingredients label\" width=\"4240\" height=\"2830\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>What\u2019s inside the commercial and open-source software that you use? How much was written by the vendor and how much of it is third-party code? Can all of that code be trusted?<\/p>\n<h2 id=\"the-threats-are-real\"><span class=\"ez-toc-section\" id=\"The_Threats_Are_Real\"><\/span>The Threats Are Real<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The recent spate of high-profile cyberattacks amply demonstrates the knock-on effects of aggressive cyber incidents. The SolarWinds hack\u00a0exposed their customers\u2019 networks\u00a0to the threat of compromise by the cybercriminals. The Codecov attack\u00a0exposed their users\u2019 continuous integration\/continuous deployment environments\u00a0to the threat actors.<\/p>\n<p>In both cases, the attack on the organizations cascaded downstream to others in that ecosystem\u2014the customers. Attacks that paralyze critical infrastructure have a much wider impact. It isn\u2019t just customers of the affected organization or service that are impacted\u2014the ripples extend outward into unrelated industries and wider society.<\/p>\n<p>The May 2021 ransomware attack on the Colonial Pipeline Company led to the shutdown of a 5,500-mile pipeline. Amongst other refined fuels, the pipeline delivers 45% of the gasoline supply\u20142.5 million barrels per day of gasoline\u2014to the East Coast. The gasoline delivery simply stopped. Prices at the pumps skyrocketed and panic buying set in. Thousands of gas stations had to close due to the lack of supply.<\/p>\n<p>The Colonial Pipeline Company attack was financially motivated. It was a ransomware attack, a common form of digital extortion. Colonial Pipeline paid the cybercriminals a ransom of 75 Bitcoins\u2014roughly $4.4 million, depending on exchange rates\u2014to have their systems restored to them.<\/p>\n<p>But if this had been an act of cyberterrorism or cyberwarfare, there would have been no option to purchase the decryption program required to get the stricken systems back online. A nation-state with cyber-offensive capabilities can render another country unable to function internally through a campaign of strategic cyberattacks.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Need to Pay the Ransom? Negotiate First<\/em><\/strong><\/p>\n<h2 id=\"responding-to-the-threats\"><span class=\"ez-toc-section\" id=\"Responding_to_the_Threats\"><\/span>Responding to the Threats<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>On March 21, 2021, President Biden signed an executive order on\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/\">improving the nation\u2019s cybersecurity<\/a>. It lays out a set of standards and requirements that all federal information systems must meet or exceed.<\/p>\n<p>Section 4 of the executive order deals with ways to enhance the security of the software supply chain. This places date-bound duties on government departments to provide guidance, standards, and procedures for many aspects of the development and procurement of software. Software vendors must meet the standards and follow the procedures in order to be eligible software suppliers to the government.<\/p>\n<p>Transparency is cited as a requirement. Software vendors must reveal any third-party components and libraries that were used in the development of their products. That requirement cascades down through the supply chain so that the providers of those libraries and components must in turn list any externally sourced software components that they have used in their products.<\/p>\n<p>Open-source software is mentioned specifically. The executive order talks about \u201censuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.\u201d<\/p>\n<p>This isn\u2019t surprising. A 2021 report on open-source security found that the average number of open-source components in non-trivial commercial projects is a staggering 528. That\u2019s a 259% increase from five years ago when the average was 84 open-source components per project.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How to Safely Use Open Source Code in Your Project<\/em><\/strong><\/p>\n<h2 id=\"open-source-as-a-consumable\"><span class=\"ez-toc-section\" id=\"Open-Source_as_a_Consumable\"><\/span>Open-Source as a Consumable<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Clearly, open-source projects must respond to the standards and procedures that will be enacted as a result of the executive order. At first thought, the transparency part ought to be easy. Open-source projects hang their source code out for any kind of scrutiny. But of course, open-source projects use other open-source components, which use other open-source components, and so on, nested like Russian dolls.<\/p>\n<p>Also, software <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications have dependencies. They rely on other software packages to operate. By choosing to include a single open-source component into your own development project, you might unwittingly be including many other open-source products as dependencies.<\/p>\n<p>So having your source code available for review isn\u2019t enough. You need to provide a list of the software ingredients in your product, just like the list of foodstuff and chemical ingredients on a candy bar wrapper. In the software world, that\u2019s called a software bill of materials, or an SBOM.<\/p>\n<h2 id=\"the-software-bill-of-materials\"><span class=\"ez-toc-section\" id=\"The_Software_Bill_of_Materials\"><\/span>The Software Bill of Materials<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Security starts with knowledge. You need to know what you have in order to make sure that you\u2019ve secured it. That\u2019s why IT asset registers and data-processing registers are so important. An SBOM\u2014pronounced ess-bomb\u2014is an application-specific document that lists all of the software elements that make up a software product.<\/p>\n<p>That\u2019s valuable knowledge. Having it empowers the users of that software to make security decisions. If you know the component parts present in the software, the risk associated with each of them, and the severity of each risk, you can make considered and informed choices.<\/p>\n<p>You might read the list of ingredients on a candy bar wrapper and find that it contains something you\u2019re allergic to. With an SBOM, you can review the build versions, release numbers of the software ingredients, and decide whether to proceed or not. For example, you might flat-out refuse to use a product that incorporates (say) telnet, or one that uses a version of SSH that has a known vulnerability.<\/p>\n<p>Putting together a detailed SBOM isn\u2019t a five-minute task. But it must be accurate and sufficiently detailed, or it won\u2019t serve its purpose. As a minimum baseline, for each software component in a software project, an SBOM should contain a:<\/p>\n<ul>\n<li><strong>Supplier Name<\/strong>: The vendor or people who wrote the software.<\/li>\n<li><strong>Component Name<\/strong>: The name of the component.<\/li>\n<li><strong>Unique Identifier<\/strong>: A universally unique identifier (UUID).<\/li>\n<li><strong>Version String<\/strong>: The build and version details of the component.<\/li>\n<li><strong>Component Hash<\/strong>: A cryptographic hash of the component. This allows a recipient to verify, if they have suspicions, whether a binary they have been provided with has been modified.<\/li>\n<li><strong>Relationship<\/strong>: The relationship between software components describes the dependencies between components and which components have been compiled and linked into other components.<\/li>\n<li><strong>Licensing<\/strong>: The type of license that the software component is released under.<\/li>\n<li><strong>Author Name<\/strong>: The author of the SBOM. This is not necessarily the software supplier.<\/li>\n<\/ul>\n<p>If there is to be wide adoption of SBOMs, there must be a standard defining the data formats, data content, and accepted processes and norms. This is likely to appear as part of the guidance that the executive order has requested be created.<\/p>\n<p>There are several competing SBOM standards. The three front-runners in this space are <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/spdx.dev\/\">Software Package Data Exchange<\/a> (SPDX), the ISO standard <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.iso.org\/obp\/ui\/#iso:std:iso-iec:19770:-5:ed-1:v1:en\">19770-5:2013 Software Identification<\/a> (SWID), and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/cyclonedx.org\/\">CycloneDX<\/a>. It will be interesting to see whether one of these is adopted by the federal government as their preferred standard.<\/p>\n<h2 id=\"automation\"><span class=\"ez-toc-section\" id=\"Automation_Can_Help\"><\/span>Automation Can Help<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Several classes of tools can help with the production and use of SBOMs. Software packages are available that can scan projects, determine dependencies, and generate SBOMs\u2014or almost complete SBOMs that you can drop some finishing details into.<\/p>\n<p>SBOMs will probably be made available either as downloads or as part of the packaged software, much like a \u201creadme\u201d file. Once you\u2019re in possession of someone else\u2019s SBOM, you need to review it.<\/p>\n<p>That\u2019s going to take time. Each component will need to be checked to make sure that it\u2019s permissible according to the criteria that your organization has set, and that the licensing of each component doesn\u2019t cause any conflicts for you.<\/p>\n<p>Software is available that can perform these checks for you. The most comprehensive packages list the known vulnerabilities for each component and the severity of those vulnerabilities.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Security_Starts_with_Knowledge\"><\/span>Security Starts with Knowledge<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The provenance of software packages and all of their component parts is going to become a vital tool for software consumers to appraise and make procurement decisions. It will also be a differentiator for software vendors and producers, whether they create software for other developers or for end-users to use.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/11618\/what-are-sboms-and-what-do-they-mean-to-open-source-software\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#What Are SBOMs and What Do They Mean to Open-Source Software? \u2013 CloudSavvy IT&#8221; What\u2019s inside the commercial and open-source software that you use? How much was written by the vendor and how much of it is third-party code? Can all of that code be trusted? The Threats Are Real The recent spate of high-profile&#8230;<\/p>\n","protected":false},"author":1,"featured_media":263789,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/05\/8559d0c7.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-263788","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/263788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=263788"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/263788\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/263789"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=263788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=263788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=263788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}