Through ISMG’s Lens: Software Bill of Materials (SBOM) | Edition 20

Supply chain attacks have seen a 742% average annual increase over the past three years. Recent exploitations - from Log4j to crypto heists tied to open-source repositories - have proven costly, not only in financial terms but also in terms of loss of trust.

According to the Cybersecurity and Infrastructure Security Agency , a software bill of materials or SBOM has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory or a list of ingredients that make up software components.

SBOMs improve the visibility, transparency, security and integrity of proprietary and open-source code in software supply chains. To realize these benefits, software engineering leaders should integrate SBOMs throughout the software delivery life cycle.

Let’s understand the industry’s take on it.

Constant Vigilance Demanded - Cyber 'Not Just Another Risk', by Tony Morbin

The Biden executive order on cybersecurity was a catalyst for action, with tight delivery times for steps including the promotion of SBOMs and zero trust. The cyber-physical nexus and expanding threat surface mean it's not easy to maintain vigilance, but recognizing that is the first step. Watch the full interview

Medical Device SBOMs: Attention to Details Matter, by Marianne McGee

It's not enough for medical device makers to provide a software bill of materials - there also needs to be close attention paid to how vulnerabilities in components are communicated and managed, says medical device security expert Ken Hoyme. Listen to the full interview

Cybersecurity Pros: Fresh Challenges Face 'Next Generation', by Mathew Schwartz

As the potential harm posed by technology increases, the cybersecurity stakes are changing, warned speakers at Black Hat Europe. With governments taking a greater interest in regulating cybersecurity - and perhaps practitioners - experts urged practitioners to collectively guide their own destiny. Read the full story

Getting Ready for Software Bills of Material, by Anna Delaney

Software bills of material, or SBOMs, are still "years away" from being ubiquitous, says Grant Schneider, senior director for cybersecurity services at Venable. He says it will take time for them to catch on, and a set of standards and other critical components for industry need to be defined. Watch the full interview

Tracking the Developments with ISMG editors:

Is 2022 the Year of the SBOM?

Four editors at Information Security Media Group discuss important cybersecurity issues, including the importance of incident response planning; the worldwide impact of the LOg4j flaw, which may lead to 2022 being the year of the SBOM. Watch the full episode

What's the Status of the SBOM?

Four ISMG editors discuss important cybersecurity issues, including the hot topics at ISMG roundtable discussions - such as challenges around software supply chain security, highlights from ISMG's upcoming Healthcare Summit, and how some cybersecurity vendors are creating their own venture funds. Watch the full episode

Will Others Follow US Lead to Legislate SBOMs?

In the latest weekly update, ISMG editors discuss how organizations can comply with the new PCI DSS 4.0 requirements, whether other countries should follow the U.S. lead on legislating software bills of materials, and key strategies for CISOs preparing for an economic downturn. Watch the full episode

Know Your Editors

We are the world’s largest media organization devoted solely to information security and risk management with reportage and analysis from the industry’s award-winning journalists. A look at who's behind the wire:

Here’s putting the spotlight on Cal Harrison , editorial director, Information Security Media Group (ISMG) :

What do you enjoy doing in your spare time?

–?Spending time with my wife and daughters, Gamecock football, exploring the outdoors and competitive barbecue cooking.

Your one biggest productivity hack?

–?One-on-one conversations. Quite often you can spend more time trying to communicate by email and text than you would if you simply meet, listen, respond and leave the conversation with a mutually agreed-upon plan or solution. Plus, it’s a good way to get to know people, foster inclusive thinking and enjoy some light-hearted humor outside the electron filters.

One piece of advice for young cybersecurity enthusiasts?

–?Keep your BS Meter switched on at all times. Everybody has opinions. Everyone wants you to lead you down the path of shiny new objects. Maybe there is no truth, but if you do your homework and keep an eye on your BS Meter at all times, you can surround the hell out of it.

Your favorite book?

–?Cat’s Cradle. Kurt Vonnegut got a job as a car salesman after the war, but luckily he was really bad at it, so he became a journalist and later a novelist. This 1963 book is about the end of the world. If that wasn't enough, he introduced the concept of granfalloons, a “proud and meaningless collection of human beings" with a perceived shared purpose. Sounds kinda like Twitter, huh?

A must-read for our audience?

–?Targeting Healthcare , a new in-depth series by Marianne Kolbasuk McGee and Mathew Schwartz , on the escalation of cyberattacks against healthcare entities, why the industry and government regulators are powerless to stop it, and what needs to be done to defend healthcare services and patient privacy.

A famous quote or saying that you abide by?

–?“You never get a second chance to make a good first impression.” – My Dad, Robert M. Harrison Jr.

What is your fondest memory of ISMG?

–?Reviewing and editing content for more than 150 video interviews at the 2022 RSA Conference. It was my first couple of weeks on the job, but I got a crash course in the rich content we produce and the power and professionalism of our ISMG team.

What, according to you, is the next big thing in cyber?

–?Sadly, it looks like it’s going to take another massive outage of our critical infrastructure along the lines of the Colonial Pipeline for there to be meaningful change in securing these 16 industry sectors that affect everyone’s lives.

That's all for today, we will be back next week. Until next time!

?Have a nice day ahead.

-- ISMG Social Media Desk