Back in February my colleague Alex Rybak posted a blog titled 2021 Will Be the Year of the Automated Software Bill of Materials. Well, yesterday, in an executive order signed by President Biden, that prediction got a lot closer to reality.
The order—focused on cybersecurity—includes new security requirements for software vendors selling software to the U.S. government. It explicitly lays out the idea that in order to protect our nation from “malicious cyber actors” the Federal Government and private sector must work together to enhance the software supply chain. Some of the specific requirements in the order include:
- Providing a purchaser a Software Bill of Materials (SBOM) for each product either directly or by other means such as a website
- Employing automated tools or processes to maintain trusted source code supply chains and ensuring code integrity
- Using automated tools and processes to check for known and unknown vulnerabilities for remediation
- Participating in a vulnerability disclosure program that includes a reporting and disclosure process
- Maintaining accurate and up-to-date data and provenance of software code or components, and controls on internal and third-party software components, tools, and services present in the software development process
- Performing audits and enforcement of these controls on a recurring basis
Companies that do not follow these standards are not permitted to sell software to the federal government.
No doubt driven by cyber attacks such as SolarWinds, Microsoft Exchange, and the most recent Colonial Pipeline incident, messaging from the White House indicates that these practices may very well find their way into the private sector because much of the software sold to the government is also used by enterprise companies. A majority of the U.S. critical infrastructure is owned and operated by the public sector, and when it comes to cybersecurity, these organizations determine their own cyber strategy. The order encourages the private sector to follow the Federal Government’s lead and align cybersecurity strategy and investments with the government’s in order to minimize future attacks.
As we’ve pointed out in past posts and recent discussions, with the continued rise in open source use and growing complexity of the software supply chain, maturing of best practices are happening across industries and organizations such as the U.S. Food and Drug Administration, PCI Security Standards Council, MITRE, OWASP, and the National Cyber Security Centre, to name a few. Open Chain’s adoption as an international standard ISO/IEC 5230:2020 back in late 2020 sets forth best practices that allow organizations to gain better control over their open source use. Combined with this executive order more industries will put forth mandates as the public sector ramps up to meet the rising number of cybersecurity incidents.
Within our own organization, for example, over the past year we saw a 25 percent increase in the number of contractual obligations requiring our company to provide an accurate SBOM of what’s in our products. Again, we predict this number will continue to go up until it becomes a standard term in commercial software contracts.
What Does All of This Mean to You?
The quick answer? Begin to lay the groundwork for what’s to come and in some ways, what’s already here. “The train has left the station” and it’s recommended to shore up your open source management strategy. Here are some immediate steps to consider:
- Implement a continuous, automated Software Composition Analysis solution that enables your development team to identify and fix vulnerabilities early in the SDLC rather than later which creates negative software development disruption.
- Invest in the right technology to catalog your use of open source and third-party software and deliver a complete and accurate SBOM.
- Educate your teams. The top forty U.S. and top five international computer science programs do not include open source licensing and secure coding in their curriculum. Companies should provide their own ongoing education for software development teams.
- Develop a culture within your organization that emphasizes security and compliance. Create an Open Source Program Office (OSPO) to operationalize your open source strategy and deliver policies around open source adoption, use, support, and software development.
It’s smart business to get a jump on these practices, or, if you’re already well down the path, evaluate any system or process gaps that could lead to reputation, IP, and vulnerability risk. We’re here to help you navigate through this quickly changing landscape. Here’s a demo of Code Insight’s ability to produce an SBOM. Feel free to contact us if you have any questions.