What’s inside the commercial and open-source software that you use? How much was written by the vendor and how much of it is third-party code? Can all of that code be trusted?
The Threats Are Real
The recent spate of high-profile cyberattacks amply demonstrates the knock-on effects of aggressive cyber incidents. The SolarWinds hack exposed their customers’ networks to the threat of compromise by the cybercriminals. The Codecov attack exposed their users’ continuous integration/continuous deployment environments to the threat actors.
In both cases, the attack on the organizations cascaded downstream to others in that ecosystem—the customers. Attacks that paralyze critical infrastructure have a much wider impact. It isn’t just customers of the affected organization or service that are impacted—the ripples extend outward into unrelated industries and wider society.
The May 2021 ransomware attack on the Colonial Pipeline Company led to the shutdown of a 5,500-mile pipeline. Amongst other refined fuels, the pipeline delivers 45% of the gasoline supply—2.5 million barrels per day of gasoline—to the East Coast. The gasoline delivery simply stopped. Prices at the pumps skyrocketed and panic buying set in. Thousands of gas stations had to close due to the lack of supply.
The Colonial Pipeline Company attack was financially motivated. It was a ransomware attack, a common form of digital extortion. Colonial Pipeline paid the cybercriminals a ransom of 75 Bitcoins—roughly $4.4 million, depending on exchange rates—to have their systems restored to them.
But if this had been an act of cyberterrorism or cyberwarfare, there would have been no option to purchase the decryption program required to get the stricken systems back online. A nation-state with cyber-offensive capabilities can render another country unable to function internally through a campaign of strategic cyberattacks.
Responding to the Threats
On March 21, 2021, President Biden signed an executive order on improving the nation’s cybersecurity. It lays out a set of standards and requirements that all federal information systems must meet or exceed.
Section 4 of the executive order deals with ways to enhance the security of the software supply chain. This places date-bound duties on government departments to provide guidance, standards, and procedures for many aspects of the development and procurement of software. Software vendors must meet the standards and follow the procedures in order to be eligible software suppliers to the government.
Transparency is cited as a requirement. Software vendors must reveal any third-party components and libraries that were used in the development of their products. That requirement cascades down through the supply chain so that the providers of those libraries and components must in turn list any externally sourced software components that they have used in their products.
Open-source software is mentioned specifically. The executive order talks about “ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.”
This isn’t surprising. A 2021 report on open-source security found that the average number of open-source components in non-trivial commercial projects is a staggering 528. That’s a 259% increase from five years ago when the average was 84 open-source components per project.
Open-Source as a Consumable
Clearly, open-source projects must respond to the standards and procedures that will be enacted as a result of the executive order. At first thought, the transparency part ought to be easy. Open-source projects hang their source code out for any kind of scrutiny. But of course, open-source projects use other open-source components, which use other open-source components, and so on, nested like Russian dolls.
Also, software applications have dependencies. They rely on other software packages to operate. By choosing to include a single open-source component into your own development project, you might unwittingly be including many other open-source products as dependencies.
So having your source code available for review isn’t enough. You need to provide a list of the software ingredients in your product, just like the list of foodstuff and chemical ingredients on a candy bar wrapper. In the software world, that’s called a software bill of materials, or an SBOM.
The Software Bill of Materials
Security starts with knowledge. You need to know what you have in order to make sure that you’ve secured it. That’s why IT asset registers and data-processing registers are so important. An SBOM—pronounced ess-bomb—is an application-specific document that lists all of the software elements that make up a software product.
That’s valuable knowledge. Having it empowers the users of that software to make security decisions. If you know the component parts present in the software, the risk associated with each of them, and the severity of each risk, you can make considered and informed choices.
You might read the list of ingredients on a candy bar wrapper and find that it contains something you’re allergic to. With an SBOM, you can review the build versions, release numbers of the software ingredients, and decide whether to proceed or not. For example, you might flat-out refuse to use a product that incorporates (say) telnet, or one that uses a version of SSH that has a known vulnerability.
Putting together a detailed SBOM isn’t a five-minute task. But it must be accurate and sufficiently detailed, or it won’t serve its purpose. As a minimum baseline, for each software component in a software project, an SBOM should contain a:
- Supplier Name: The vendor or people who wrote the software.
- Component Name: The name of the component.
- Unique Identifier: A universally unique identifier (UUID).
- Version String: The build and version details of the component.
- Component Hash: A cryptographic hash of the component. This allows a recipient to verify, if they have suspicions, whether a binary they have been provided with has been modified.
- Relationship: The relationship between software components describes the dependencies between components and which components have been compiled and linked into other components.
- Licensing: The type of license that the software component is released under.
- Author Name: The author of the SBOM. This is not necessarily the software supplier.
If there is to be wide adoption of SBOMs, there must be a standard defining the data formats, data content, and accepted processes and norms. This is likely to appear as part of the guidance that the executive order has requested be created.
There are several competing SBOM standards. The three front-runners in this space are Software Package Data Exchange (SPDX), the ISO standard 19770-5:2013 Software Identification (SWID), and CycloneDX. It will be interesting to see whether one of these is adopted by the federal government as their preferred standard.
Automation Can Help
Several classes of tools can help with the production and use of SBOMs. Software packages are available that can scan projects, determine dependencies, and generate SBOMs—or almost complete SBOMs that you can drop some finishing details into.
SBOMs will probably be made available either as downloads or as part of the packaged software, much like a “readme” file. Once you’re in possession of someone else’s SBOM, you need to review it.
That’s going to take time. Each component will need to be checked to make sure that it’s permissible according to the criteria that your organization has set, and that the licensing of each component doesn’t cause any conflicts for you.
Software is available that can perform these checks for you. The most comprehensive packages list the known vulnerabilities for each component and the severity of those vulnerabilities.
Security Starts with Knowledge
The provenance of software packages and all of their component parts is going to become a vital tool for software consumers to appraise and make procurement decisions. It will also be a differentiator for software vendors and producers, whether they create software for other developers or for end-users to use.