SBOMs are a rising necessity for cyber security that are now required for vendors working with the US government. However, are SBOMs alone enough to protect your customers or should you pay attention to warnings that binary source validation is needed?
Software bills of materials (SBOMs) are now a requirement for all software vendors to the US government as part of a move to make all software "secure by design". Cyber security experts, however, are warning this doesn't go far enough.
Warnings have surfaced this quarter of hacking methods that could place backdoors in code compilers, even when SBOMs show no evidence of breach. To resolve this, a new methodology is being proposed called 'binary source validation'.
Let's look back at the major events in the last few years that led to SBOMs becoming a legal requirement in various countries. Then, we'll consider whether binary validation is needed to complete the protection SBOMs offer.
The SBOM Story So Far...
Software bills of materials (SBOMs) are essentially an ingredients list for any piece of software. Just as an ingredients list for food will tell you when someone with allergies is safe to eat, SBOMs can warn you when an application contains a compromised piece of open-source code.
Modern developers don't have the time to write every item of code themselves. It's much more productive for them to assemble an application from various pieces of best-practice code obtained from open-source code libraries.
However, when a piece of code contained in a popular library is compromised by cyber criminals, every application built with that code becomes vulnerable. With a library of SBOMs prepared, covering each application you have, you can instantly find where vulnerabilities exist in your applications and fix them.
This isn't just of benefit to software vendors, but it also offers confidence to customers that the software they're buying is secure. This is why the US government has put legislation in place to ensure all its software suppliers provide SBOMs for all the applications they license.
This legislation making SBOMs a requirement came into force in September 2023, with similar legislation under consideration by the European Union. As such, it won't be long before SBOMs become standard practice worldwide.
Yet, do SBOMs cover every possible method that cyber criminals can use to compromise open-source code?
Are SBOMs Enough?
Software bills of materials (SBOMs) document the entire source code of any piece of software. When each application has an SBOM contained within a searchable library, vendors and consumers can search the library to find any use of vulnerable open-source code.
Until recently, an SBOM was considered a complete picture of all code that could possibly be compromised by a hacker, but experts are now calling this into question. Jeremy Long, founder of cyber security foundation OWASP, has directed cyber security specialists to a 1984 paper called "Reflections of Trusting Trust", by Ken Thompson.
The paper documents the potential for cyber criminals to compromise a code compiler, essentially gaining control over the 'factory' you use to create your software. Therefore, any software you create could have a vulnerability built into it at the source that would never show up on an SBOM.
To expand SBOM capabilities, CycloneDX software now includes foundation bills of materials (FBOMs) along with the SBOMs it compiles. This serves to look more closely at the way software is made, but still fails to provide complete security against binary source attacks.
What Is Binary Source Validation?
The solution for preventing the above workaround for the added security offered by software bills of materials (SBOMs) is known as binary source validation. Jeremy Long recommends software security exports explore this new methodology.
Binary source validation is a process that looks at the build artifacts created during software compilation and confirms they haven't been compromised. This ensures that cyber criminals aren't able to compromise your software before it's even been compiled.
By leveraging the trifecta of SBOMs, foundation bills of materials (FBOMs), and binary source validation, software vendors can ensure the security of their software to customers. With the US government pushing software to become "secure by design", this will be a necessity in the near future.
Knowledge Is Power
Software bills of materials (SBOMs) are just one way to document and achieve clarity on your application portfolio and IT landscape. This kind of comprehensive insight is vital for fighting cyber criminals and ensuring cyber security for your organization.
LeanIX EAM documents and organizes information regarding your application portfolio, allowing you to build a full map of your IT landscape and any vulnerabilities that require remediation. This is the only way to ensure your organization is protected against cyber threats.
