This webinar will cover why SBOMs should be required to improve software supply chain security, what to look for in a SBOM and how to evaluate open source and third-party components as well as how to use a SBOM to identify software risk and eliminate vulnerabilities throughout the software supply chain.
2. www.ics.com
About ICS
● Founded in 1987
● Largest source of independent Qt expertise in North America
● Provides:
○ Integrated custom software development
○ User experience (UX) design with Boston UX design studio
○ Platform services
○ Device cybersecurity
○ Cloud & Web services
○ Dedicated Medtech Practice
● Embedded, touchscreen, mobile and desktop applications
● HQ in Waltham, MA with offices in California, Canada, Europe
2
3. www.ics.com
GrammaTech: Application Security Testing
Headquartered in
Bethesda, MD with R&D
facility in Ithaca, NY
(Cornell)
Two divisions
• Product Division -
Application Security
Testing Products
• Research Division - DoD
Cybersecurity Research
Static Application Security Testing (SAST)
• Detect unknown defects (Zero-day)
• Safety, quality, security as part of DevSecOps
• Source code and binaries
Software Supply Chain Security Platform
• Software composition analysis (SCA) – Binaries
• Software Bill of Materials (SBOM)
• Identify open source and third-party components
• Detect known (N-day) and unknown (Zero-day) defects
4. www.ics.com
Cybersecurity Everywhere
● Cybersecurity Threats increasing exponentially
● 72% increase in medical data breaches in 2021 compared to 2019
● Average cost of ransomware attack now $1.85M
● Ransomware attacks increasing exponentially
● Tightening requirements for approval
● Insurance costs forcing tightening of Security Requirements
● Improving Cybersecurity
● SIgnificant focus at National and International level
● Purchasing decisions include Cybersec assessment
4
● Never more reasons to pay close attention to Cybersecurity on your device
6. www.ics.com
Software Sources - Embedded Devices
6
Open Source
In-house Developed Software
Proprietary 3rd Party
Your Product
● Need to trust all of the software to trust the device
7. www.ics.com
What is an SBOM?
In simple terms, a
Software Bill of
Materials is like a list
of ingredients in that
we want to understand
what is in the software
we are producing or
consuming. In our
world this might be a
list of Open Source
components
7
8. www.ics.com
What is an SBOM?
A list of components isn’t enough
though as we learned during the E.
coli outbreaks back in 2017-18 that
saw all of the Romaine lettuce
thrown away because there was no
way to identify where it had come
from.
This is much closer to the
automobile industry in tht we now
know where it was produced and
when. This dramatically reduces the
cost of a recall.
8
9. www.ics.com
What is an SBOM?
In software we have the PackageURL (purl) which is composed of 7 elements
scheme:type/namespace/name@version?qualifiers#subpath
9
pkg:bitbucket/birkenfeld/pygments-main@244fd47e07d1014f0aed9c
pkg:deb/debian/curl@7.50.3-1?arch=i386&distro=jessie
pkg:docker/cassandra@sha256:244fd47e07d1004f0aed9c
pkg:docker/customer/dockerimage@sha256:244fd47e07d1004f0aed9c?repository_url=gcr.io
pkg:gem/jruby-launcher@1.1.2?platform=java
pkg:gem/ruby-advisory-db-check@0.12.4
pkg:github/package-url/purl-spec@244fd47e07d1004f0aed9c
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?packaging=sources
10. www.ics.com
What is an SBOM?
10
1. Software Package Data Exchange (SPDX) — The SPDX specification, created under the auspices of the Linux
Foundation, is now an ISO standard (ISO/IEC 5962:2021). A rich ecosystem of open-source tools and commercial
providers support SPDX. Developers and packagers creating and consuming SPDX formatted SBOMs can refer to
the examples in the GitHub repository.
2. Software Identification (SWID) — The SWID project is supported by the National Institute of Standards and
Technology (NIST), and the specification is defined by the ISO/IEC 19770-2:2015 standard. NIST is working to
incorporate SWID tag data into the vulnerability dataset provided by the National Vulnerability Database (NVD), and
has incorporated SWID tag data into the Security Content Automation Protocol (SCAP). The NIST GitHub repository
provides sample tools to generate and validate SWID tags.
3. CycloneDX — CycloneDX is a lightweight SBOM standard designed for use in application security contexts and
supply chain component analysis. CycloneDX started in the Open Web Application Security Project (OWASP)
community, which manages the strategic direction and maintenance of the specification. The CycloneDX GitHub
repository includes tools to create and consume SBOMs in various programming languages.
11. www.ics.com
Why SBOM’s?
11
The agency wants to require
medtechs upfront, as part of a
premarket submission, to have a
Software Bill of Materials (SBOM)
and the capability to update and
patch device security into a
product's design. In addition, FDA
wants new postmarket authority to
require that manufacturers adopt
policies and procedures for
coordinated disclosure of
cybersecurity vulnerabilities as they
are identified.
https://www.medtechdive.com/news/fda-seeks-more-power-for-medical-device-cybersecurity-mandates/605107/
13. www.ics.com
Why SBOM’s - with apologies to Dr Allan Friedman
13
Benefits of an SBOM Across the Software Supply Chain - Dr. Allan Friedman, Cybersecurity and Infrastructure Security Agency (CISA)
14. www.ics.com
When SBOMs
14
Design Develop Testing Deployment
Many build tools can produce an SBOM as
part of the build process. This may not
account for declared dependencies that are
no longer used.
There is a class of tools that can scan binaries
to produce an SBOM. This can be important
for 3rd party software or legacy software that
is no longer being developed.
15. www.ics.com
SW BOM - Development
● Most development systems in use will have
automated way to recreate software
● Can pull from open source repositories,
internal repositories, third party code.
● If you are dealing with open source, need to
have a way to point to the open source and
the version you want.
● Build systems such as Yocto have
automated way of listing versions of code
that has made it in to your build
● However, subcomponents can be present in
many open source projects
15
● SW BOM requires multiple inputs - leverage existing processes
Open Source
In-house dev
……..
kernel-4.14.170-3.0.4
…….
……..
our_app_2.4
……..
……..
skype-8.82
……..
3rd party
Product
Software
16. www.ics.com
Yocto Build
16
Yocto Build System
BSP
Sources
Recipes/
Config
Additional
Sources
Source
Mirrors
Upstream
Open
Source
Releases
Root File
System
Kernel/
Bootloader
Package
List
SBOM
(SPDX)
17. www.ics.com
Relationships
All of the build artifacts
can be related to one
another and visualized
to aid in comprehension
17
https://democert.org/sbom/
18. www.ics.com
SBOM Ingredients
Example: From a Manifest file:
<project name="meta-lxde.git" path="layers/meta-lxde" remote="tdx"
revision="d43511a4b6d693d4bb1332e765d4403b4a701fd0"
upstream="master"/>
From Yocto build output:
util-linux-mount armv7at2hf-neon 2.32.1-r0
18
20. www.ics.com
How do we use SBOM for vulnerability checking?
● Match Software components to a
database
● NIST NVD database
● NIST - National Institute of Standards
and Technology
● NVD - National Vulnerability Database
● CVE - Common Vulnerability Exposure
● Maintains a publicly accessible
repository of vulnerabilities
● >180K entries (Mar ‘22)
● Any of these could affect your software
● Contains CVE entries
● CVSS - Common Vulnerability Scoring
System
● CPE - Common Platform Enumeration
20
CNAs
MITRE
NVD
(Database)
CVE IDs
CPEs
CVSS scores
● Components can be checked against Vulnerability Databases (e.g. NVD)
21. www.ics.com
Some products that could help
● Grammatech
● CodeSonar - Static Application Security Testing (SAST)
● CodeSentry - Binary Analysis and SBOM Generation
● OSS Index
● Free source of vulnerability analysis (from Sonatype)
● Cheque - a free scanner for C/C++ code using OSS Index
● Timesys Vigiles
● Vulnerability monitoring and remediation tool (Yocto, Buildroot, automatic SBOM scan)
● Snyk
● Service to find open-source vulnerabilities. Limited free plan. Uses source code signatures.
● Tidelift
● Helps select vulnerability-free open source. Generates SBOM.
● Dependency-check
● Free (OWASP-developed) tool to check if dependencies are listed as having vulnerabilities in
the NVD (Java/.NET fully supported, others experimental, autoconf and CMake for C/C++)
21