Managing Open Source and SBOMs

#NSA just released guidance on how to secure your software supply chain in the document "Securing the Software Supply Chain: Recommended Practices for Managing OSS and SBOMs".

I took some time to read through it and there are probably no big surprises in this document if you have followed recent developments in this space:

NSA builds on top of and adds to previous publications such as the White House Cybersecurity Executive Order (EO 14028) and Office of Management and Budget memos 22-18 and 23-16, which mandated suppliers dealing with federal agencies to align with publications such as NIST’s Secure Software Development Framework (SSDF) and provide SBOM’s in some cases.

To facilitate implementation and referencing, the NSA document maps their sections towards SSDF, i.e. section 5: "SBOM Creation, Validation and Artifacts" maps to the three SSDF sections: Protect the Software (PS), Produce Well-Secured Software (PW) and Respond to Vulnerabilities (RV):

NSA points to the two competing SBOM standards that have emerged: #CycloneDX and #SPDX, while also mentioning the SWID standard as a facilitator to move between the two. Which makes sense since SWID is less capable than the two other standards, but still, a bit less emphasis than EO14028, which places SWID alongside CycloneDX and SPDX.

And NSA would probably not be the NSA if they didn't include a section mentioning that if you use OSS that includes advanced technologies such as cryptography, you should pay attention to export restrictions and plan for using a subset of such OSS in your final product.

Below I'll be looking at the different sections in the PDF and point out where Bytesafe and SBOM Observer are supportive in implementing NSA's Recommended practices:

Internal Secure Open-Source Repository (Section 3):

Bytesafe offers a platform for creating and maintaining a secure internal repository for OSS, enhancing control over open-source components.

With its native IAM support, it can facilitate setting up an Open-Source Review Board (OSRB) as well as supporting other organizational groups: SecOps, Developers and more - each with different access rights and capabilities.

In section 3.1 "Open-Source Software Adoption Process" NSA Mentions using VEX documents - and this is a core feature of SBOM Observer - used to answer the question if a specific vulnerability is relevant and if so - what are we doing about it.

Furthermore both section 3.1 and 3.2 "Vulnerability and Risk Assessment" talks about using Open-Source Security Foundation (OpenSSF) scorecard to assess and evaluate risk for specific OSS - one feature that's built in to SBOM Observer:

OSS Maintenance, Support, and Crisis Management (Section 4):

SBOM Observer supports crisis management by offering insights into the OSS components' security status, supporting mapping teams to projects, suppliers and OSS components (Section 4.2.2.1: "Inventory Role in Crisis Response")

SBOM Observer also helps in documenting and maintaining an accurate record of open-source components used across different projects and keeping an up-to-date track of dependencies throughout the lifecycle using VEX documents.

Both Bytesafe and SBOM Observer continuously scan for new vulnerabilities.

SBOM Creation, Validation, and Artifacts (Section 5):

Even though Bytesafe can ingest #CycloneDX SBOM documents to continuously monitoring for vulnerabilities, SBOM Observer is the more capable tool here. It offers validation tools for SBOMs (#CycloneDX and #SPDX), ensuring their accuracy and completeness, providing out-of-the-box policies that can be used to verify that SBOMs received or delivered conforms to NTIA Minimum Elements for SBOMs.

NSA also provides a few useful links to a set of tools working with SBOMs, of which both our products Bytesafe and SBOM Observer are part of.

Both Bytesafe and SBOM Observer can contribute significantly to securing the software supply chain. Bytesafe with its secure internal repository features - what we like to call Dependency Firewall. And SBOM Observer supporting leading SBOM standards and other attestation formatss. Both products working with policies that supports an organization's need for both transparency, regulatory compliance, vulnerability and license management.