In a recent memo issued on June 9, the Office of Management and Budget has introduced new guidelines for federal agencies to collect cyber-security attestations from software providers. This move comes as part of the Biden administration's efforts to bolster the cybersecurity of commercial technology products used within the government. The goal is to ensure that software adheres to NIST standards and follows secure software development practices.
These guidelines bring to light several key aspects:
1. Extended Collection Period: Federal agencies will be given more time to gather letters of attestation from software providers.
2. Exemption for Open-Source Software: Letters of attestation won't be mandatory for open-source software, recognizing the unique nature of this type of software.
3. Agency-Created Software Discretion: Agency Chief Information Officers (CIOs) will have the authority to determine whether software is classified as "agency-developed."
4. Alternate Submission Plan: Companies that cannot immediately provide letters of attestation will have the option to submit a "plan of action and milestones" instead.
While these guidelines are a step in the right direction, the issue of managing the influx of self-attestations remains. The concept of SBOMs has been introduced, requiring federal agencies to use software from producers who comply with government-specified secure software development practices outlined by NIST. However, not all SBOMs are created equal, and the quality of these documents varies significantly.
Looking to learn more about SBOM? The Developer's Guide to SBOMs by Codenotary is ready for you!
Amidst the buzz surrounding SBOMs, questions arise about their quality and what constitutes a "quality" SBOM. While some open-source tools attempt to gauge quality, the lack of comprehensive data poses a challenge. The Cybersecurity and Infrastructure Security Agency (CISA) has explored methods like the OWASP Software Component Verification Standard (SCVS) to assess SBOM quality. The analogy of SBOMs to ingredient labels on packaged food is apt: knowing the components isn't enough to ensure safety. It's crucial to understand how those components are used.
Jeff Williams, co-founder and CTO of Contrast Security, highlights, "SBOMs express a lot more than a list of ingredients. The same set of ingredients could be in software that is secure or software that isn’t." In other words, context matters.
Addressing these concerns, the Open Web Application Security Project (OWASP) introduced the CycloneDX project. This initiative aims to provide a machine-readable attestation format that simplifies the creation, management, and consumption of attestations. CycloneDX recognizes that a comprehensive and precise inventory of components is essential for identifying risks. While there are several SBOM standards, CycloneDX stands out for its transparency not just in software components but also in software dependencies and services.
In a recent milestone, OWASP unveiled CycloneDX version 1.5, which expands SBOM adoption across various industries. It introduces dimensions of breadth, depth, life cycles, techniques, and confidence as markers of SBOM quality. These dimensions are fundamental to ensuring the integrity of software components.
- Breadth: Refers to the range of fields covered within an SBOM, including author and supplier information.
- Depth: Reflects the complexity of obtaining data, highlighting the level of detail in the SBOM.
- Life Cycles: Embraces the number and favorability of life cycles in creating an SBOM.
- Techniques: Encompasses the methods used to determine component identity.
- Confidence: Evaluates the individual technique's reliability and the collective analysis of all techniques for component identification.
CycloneDX 1.5 goes beyond software, supporting diverse industries with its xBOMs, such as SaaSBOM and HBOM, catering to cloud-native applications and hardware documentation, respectively. Moreover, it allows the representation of call stacks, enabling a more precise assessment of library invocations.
Contrast Security's Jeff Williams, an active contributor to the CycloneDX project, enthusiastically supports this advancement. "This release is a big step forward in the vision of SBOMs and will be useful in making informed decisions," he notes. CycloneDX not only meets but surpasses the Minimum Elements for Software Bill of Materials, defined by the National Telecommunications and Information Administration (NTIA).
As the digital landscape evolves, so do the challenges of software security. Navigating the complexities of SBOMs demands a comprehensive understanding of the aspects of quality. CycloneDX's innovative approach paves the way for trustworthy SBOMs, fostering secure software development practices and fortifying the software supply chain.
The journey to secure software begins with quality SBOMs, and CycloneDX is at the forefront of this movement. To delve deeper into the world of SBOM quality and gain valuable insights, check out The Developer's Guide to SBOMs brought to you by Codenotary. Elevate your understanding and contribute to a more secure digital landscape.