SBOM - One of the Critical Element in SSDLC

SBOM is known as the Software Bill of Materials, which gives the ingredient list of components used in a software. For example, if you take a food item it will have a list of ingredients being used

3 perspectives across the supply chain

1. Produce Software (Supplier/ Upstream)

2. Choose Software (Consumer/ downstream)

3. Operate Software (Use/ In organization)

Having an efficient SBOM in place will answer the question of an organization "Am I potentially affected by $vulnerability$"

How to detects and remediate software supply chain attacks?

1. Supply Chain Attack: Attackers insert malicious code into a DLL component of legitimate software. The compromised DLL is distributed to organizations that use the related software

2. Execution, persistence: When the software starts, the compromised DLL loads and the inserted malicious code calls the function that contain backdoor capabilities

3. Defense Evasion: the backdoor has a lengthy check to make sure it's running in an actual compromised network

4. Recon: the backdoor gathers the system info

5. Initial C2: he backdoor connects to command-and-control-server. The domain it connects to it’s a partly based on the info gathered from system, making each subdomain unique. The backdoor may receive an additional C2 address to connect to.

6. Exfiltration: The backdoor send the gathered information to the attacker

7. Hands on Keyboard attack: the backdoor runs the command it receives from attackers. The wide range of backdoor capabilities allow attacker to perform additional activities, such as credential theft, privilege escalation and lateral movement.

When should an SBOM be used

Source: NTIA's Survey of Existing SBOM Formats and Standards

Why should Organization care about SBOM

1. Detection and remediation of vulnerabilities is costing $$$$ and is motivating interest in improving Cybersecurity Supply chain Management
2. Factors that have contributed to the problems2.1. Reuse: fast time to market by reusing existing components2.2. Containers: components being executed on the system are not obvious2.3. Software Transparency is an assumed as "pre-requisite" for analysis
3. Regulatory authorities growing awareness of cyber security supply chain

What should a minimum viable SBOM Contain?

Current SBOM formats

1. SPDX file format (.xls, .spdx, .rdf, .json, .yml, .xml)
2. SWID file format (.xml)
3. CycloneDX file format (.json, .xml)

Source: SBOM Formats

How to represent the minimum viable SBOM information in these formats

Source: NTIA's Framing Software Component Transparency: Establishing a Common SBOM

Taxonomy used for Classifying SBOM Tools