CISA says it is developing an ecosystem for SBOMs
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world curated by the team at ReversingLabs.
This week: CISA is developing a software bill of materials (SBOM) ecosystem that companies can use to publish their SBOMs. Also: ReversingLabs and Synopsys join forces to provide software supply chain risk management.?
This Week’s Top Story
The Cybersecurity and Infrastructure Security Agency is developing what it describes as a software bill of materials ecosystem that companies can publish their SBOMs to. The goal is to give federal agencies greater visibility into the software programming libraries, versions and underlying components that run federal IT systems.
CISA’s plans were revealed by the agency’s Technical Director for Cyber Christopher Butera during a speech at ACT-IAC’s Emerging Technology and Innovation Conference, where Butera said the agency is looking for “vendor feedback” as it charts more prescriptive SBOM guidance in the future.
CISA, the U.S. government’s lead cybersecurity agency, has taken increasing interest in the security of software development organizations and software supply chains. It recently issued (voluntary) guidance on secure software development and deployment. Similarly, the Biden Administration’s Cyber Executive Order (#14028) set in motion a range of initiatives and requirements for software vendors who do business with the federal government. Those include using secure development methods, producing software bills of materials (SBOMs) and using automation to help “maintain trusted source code supply chains.”
The government’s interest in SBOMs is a byproduct of its concerns about the “cascading” effects of “significant” vulnerabilities in widely used open-source software, as with the Log4Shell vulnerability in the Apache Log4j library, which was discovered in November 2021, Butera said. The new SBOM ecosystem is about getting software vendors comfortable working with federal agencies to achieve greater transparency into software supply chains.?
“There’s a ton of work to be done in the space,” Butera said. “And it requires the whole community to really join with us to help us move along.”
Other News:?
Since 2017, hackers have been able to mimic legitimate packages on Node Package Manager (npm) by simply removing the capital letters in their titles. According to newly published research from Checkmarx, npm had for years failed to account for this form of typosquatting, which could have led to enterprises inadvertently downloading malware. The registry patched the vulnerability over the weekend, but organizations should be aware of any malicious packages they may have downloaded before the change was made. (Dark Reading)
One of the lessons of software supply chain attacks like the recent hack of voice over IP (VoIP) provider 3CX is that development organizations need a broader set of tools to root out software supply chain attacks. That’s why ReversingLabs and Synopsys Inc. announced today that they are teaming up to combat software supply chain threats and boost software resilience. Under the terms of a new partnership agreement, Synopsys will resell the ReversingLabs Software Supply Chain Security (SSCS) platform standalone, or paired with Synopsys Black Duck software composition analysis (SCA) technology. The partnership will allow customers to spot vulnerabilities, malware and tampering within commercial, third-party and open-source software modules, providing a comprehensive view of software package risk built up along the software supply chain. (ReversingLabs)
DevSecOps platform maker GitLab has announced an extension of its partnership with Google Cloud to bring new AI-based options to enterprises. The two companies will deploy Google Cloud’s customizable foundation models and open generative AI infrastructure to provide users with AI-assisted features located within the GitLab platform. GitLab believes it can improve developers’ DevSecOps workflow efficiency by 10X, by applying AI-assisted workflows to all users, Google told The New Stack. “This partnership with Google Cloud enables GitLab to offer private and secure AI-powered features while maintaining customer data in our cloud infrastructure,” David DeSanto, Chief Product Officer at GitLab, said in a media advisory. (The New Stack)
A new study from Juniper Research has found that the total cost of software supply chain cyber-attacks to businesses will exceed $67 billion globally by 2026, up from $45 billion in 2023.
Increasing risks from absent software supply chain security processes, and the rising complexity of software supply chains overall are to blame for the expected increase, according to the new study, Vulnerable Software Supply Chains Are a Multi-billion Dollar Problem, Juniper reports. The study analyzes how both shifts in wider cybersecurity processes, and the mindset around the management of the software supply chain, are needed to address these risks. (Digit.fyi)
领英推荐
The first-ever Kubernetes Bill of Materials (KBOM) standard was published by the Kubernetes Security Operations Centre (KSOC). This KBOM, which is available in an open-source CLI tool, helps cloud security teams comprehend the extent of third-party tooling in their environment so they can react more quickly to newly discovered vulnerabilities, which have been occurring more frequently lately. (Opensourceforu.com)
Recent research by Datadog said, “Only 3 percent of critical vulnerabilities are worth prioritizing”. This confirmed my belief that most scanner output should be used as a starting point for understanding the security posture of your products and not as a means of creating a laundry list of bugs to fix. Prioritization is not a Security specific problem. This is a problem that has troubled leaders forever. So, instead of inventing a new framework, let’s use an existing, popular framework: The Eisenhower Matrix or also called the urgent-important matrix.
The idea is simple: Draw a 2X2 matrix with increasing importance on one axis and decreasing urgency on the other. Fill in the tasks that you plan to do on each of the quadrants. Respond to urgent, important tasks first. Drop the less important, less urgent tasks. (Boringappsec)
In the fast-paced cybersecurity landscape, product security takes center stage. DevSecOps swoops in, seamlessly merging security practices into DevOps, empowering teams to tackle challenges. Let's dive into DevSecOps and explore how collaboration can give your team the edge to fight cyber villains. (Hacker News)
One thing we constantly have to (re)learn is that, while individual polls and surveys are a poor way to understand what’s going on, consistent patterns that span multiple polls over time often prove accurate and are borne out by events. That’s why I look a recent spate of surveys that attempt to measure awareness of software supply chain risks as so interesting. While they differ in methodology and focus, these surveys present a clear message. Namely: threats and risks from vulnerable software supply chains are real, and they’re starting to freak people out. (The Security Ledger)
As the frequency of releases in software development increases, continuous integration and deployment (CI/CD) pipelines face the challenge of security threats. This article at accelerationeconomy.com describes the vulnerabilities in modern CI/CD systems, referring to the OWASP Top 10 CI/CD Security Risks, and provides suggestions for how to take a DevSecOps approach to mitigate these risks. (Acceleration Economy)?
In today's DevOps-led world, source code management systems and continuous integration pipelines are the real bait for hackers, which traditional honeypots cannot imitate. To ensure the security and integrity of their software supply chain, organizations need new approaches, such as honeytokens, which are to honeypots what fishing lures are to fishing nets: they require minimal resources but are highly effective in detecting attacks. (Hacker News)
Resource Round Up
ReversingGlass Video: What the heck are SBOMS??
In this episode, Matt uses the analogy of America’s beloved boxed mac n’ cheese to define what a software bill of materials (SBOM) is and should be. He then points out that when making SBOMs, organizations should look to approved and standardized SBOM formats for them to be as clear and transparent as possible. (ReversingLabs)
ConversingLabs Podcast: SBOM skepticism and the importance of software supply chain transparency
In this special Café edition of ConversingLabs, host Paul Roberts interviews Joshua Corman, the Vice President of Cyber Safety Strategy at Claroty and the Founder of I Am The Cavalry on the sidelines of the RSA Conference 2023 in San Francisco. Josh speaks with Paul about his RSAC track session, The Opposite of Transparency, which takes on skepticism of software bill of materials (SBOMs) and makes an argument for greater transparency around software supply chain risk. (ReversingLabs)
App Sec Demo Series: Deconstructing and analyzing the 3CX Software Package
In this first episode the 3CX software package and recent supply chain attack is analyzed using the ReversingLabs Software Supply Chain Security Platform. Tim deconstructs the 3CX software package, highlights critical red flags, and shows how you can apply these processes to your own secure build process. (ReversingLabs)