Author: Tania Ward, Dell Technologies, Director Product & Application Security
Software is everywhere
The digital landscape that we live in is constantly evolving. Edge computing, 5G, and the increase of IoT devices, which will hit around 41 billion devices in the next six years[1], illustrate that software embedded in technology is everywhere. This technology drives human progress, from researchers running epidemiological models that help scientists understand and mitigate virus threats to cloud service providers building a digital platform to bring economic and social progress to its citizens and businesses. The supply chain has become complex as companies are leveraging more external dependencies, such as third-party APIs, open-source code, and commercial off-the-shelf products/components, to solve real business problems and go to market quickly.
Can you trust your supply chain?
This supply chain provides the perfect opportunity for an adversary to compromise a component upstream to gain access or take advantage of a vulnerability since it will spread to other products that use these components, potentially affecting all downstream customers and partners that leverage them. These threats may have a significant social and economic impact in preventing human progress if essential services like water and oil are no longer available.
US Executive Order 14028 on Cybersecurity was issued on May 12, 2021, with one of the key points focused on improving software supply chain security, with a software bill of materials (SBOM) being a fundamental building block in understanding supply chain vulnerabilities and vendor security risk. An SBOM lists all the external components embedded in a given technology and acts like an ingredient list detailing all the supplier names, component names, versions of the components, and unique identifiers, for example. SBOMs become an incredible tool for identifying all the possible known vulnerabilities within a technology deployed within your environment and potential remediation options when used with other tools, such as the National Vulnerability Database (NVD) or Vulnerability Exploitability Exchange (VEX). SBOM would have enabled rapid detection of the Log4Shell vulnerability by checking your component names for Apache Log4j2 2.0-beta9 through 2.15.0, if it were available in December 2021 better protecting both customers and our environments.
SBOM is a journey not a destination
SBOM is not a silver bullet, nor can it be looked at in isolation from the broader activities required to build secure software and to preserve the integrity of your software component supply chain. It does provide visibility and aids in vulnerability detection and management. The below provides some additional considerations as you go on this journey:
- Sourcing from Suppliers – Ensure that your suppliers develop code securely to reduce risk, and they align to at least Level 1 in the FIRST PSIRT (Product Security Incident Response Team) Maturity Model framework.
- Supplier contracts – Through security clauses in contracts, you can ensure your suppliers are aligned with your standard of security practice, and this could include distributing an SBOM with their releases.
- Inventory requirements – The inventory should include transitive dependencies and should avoid the use of end-of-life components. Various tools on the market can generate an inventory for you.
- Hardening your product – Assess all your components to understand that these components are utilized by your product. This exercise may help you reduce your attack surface and the overhead associated with managing vulnerabilities.
- SBOM Type – There are different types of SBOMS, and getting internal alignment on which one your company will generate is essential.
Upholding Trust
Customers put their reputation in your company’s brand. It is for this reason that Dell Technologies, as part of our Environmental, Social, and Governance (ESG) goals to help embed our ethical culture and values in the way we conduct business, states by 2025, all actively sold Dell-designed and branded products and offerings will publish a software bill of materials (SBOM), providing transparency on third-party and open-source components. As the world continues to create software to solve complex business problems, providing transparency into what is included in your software is taking a step toward being a trusted technology partner.
[1] https://infohub.delltechnologies.com/l/edge-to-core-and-the-internet-of-things-2/internet-of-things-and-data-placement/