Word Notes 11.2.21
Ep 74 | 11.2.21

software bill of materials (SBOM) (noun)


Rick Howard: The word is: SBOM. 

Rick Howard: Spelled: S for software, B for bill, and O M for of materials.  

Rick Howard: Definition: A formal record containing the details and supply chain relationships of various components used in building software.  

Rick Howard: Example sentence: SBOMs are lists of nested software components designed to enable supply chain transparency.  

Rick Howard: Origin and context: According to the NIST Cybersecurity Framework, " If an organization does not know what its software contains, it should assume that the software is compromised and develop an appropriate risk management plan in."  

Rick Howard: Today, very little software is completely original. According to Forrester's Sandy Corelli ,on average, 75% of a software product is open source code, meaning developers are using existing, commercially available software components to create new products. This presents a cyber risk management problem because customers typically receive software products without understanding the nested software contained within them.  

Rick Howard: On September 9th, 2021, the Software Package Data Exchange specification, SPDX for short, became the international open standard for security, licensed compliance, and other software supply chain artifacts. In other words, they became the official SBOM standards body. Despite only being internationally recognized for a short while, companies like Intel, Microsoft, Sony, and VMware are already using the SPDX standards to communicate SBOM information. 

Rick Howard: SPDX wasn't an overnight invention though. It was the result of 10 years of collaboration from vendors across the Software Composition Analysis space, or SCA space. These are vendor tools that assess open source software, code libraries, and containers to provide a unified view of risks and remediations and offer strategies to keep this kind of software up to date. Still tools from this market have not been an essential component to most development teams, except for highly specific software niche requirements.  

Rick Howard: That may be beginning to change though. President Joe Biden's May, 2021 Executive Order on Cybersecurity, E.O. 14028, mandates that all federal civilian executive branch agencies and key players like CISA, OMB, DHS, and the DOD, meet or exceed specific cybersecurity requirements among a long list that includes zero trust improvements to the Federal Acquisition Regulation, or FAR, improved information sharing between agencies, and secure cloud deployment. There is a specific requirement to deploy a minimum SBOM program by the spring of 2022. With the U S government mandating SBOM requirements, vendors that sell to the U S government will have to comply. 

Rick Howard: It's tough to predict these things, but once government contractors routinely provide SBOM information, that capability becomes a discriminator against other software vendors. In the commercial space, why would you pick a vendor who doesn't provide SBOM telemetry when other vendors are available who do? If this works out, the Presidential Directive could fast track SBOMs to an existing standard of protection against supply chain vulnerabilities.  

Rick Howard: Nerd reference: On 16 May, 2021 President Biden spoke to the press about the Colonial Pipeline ransomware attack and the need to make infrastructure more resilient. He announced his executive order on improving the nation's cybersecurity and describe the goals behind it.  

President Biden: And last night, I signed an executive order to improve the nation's cybersecurity. It calls for federal agencies to work more closely with the private sector, to share information, strengthen cybersecurity practices and deploy technologies that increase reliance against cyber attacks and outlines innovative ways the government will drive to deliver security and software using federal buying power to jumpstart the market and improve the products that all Americans use.  

Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.