1 of 15

Laurie Williams

Laurie_williams@ncsu.edu

1

Software Bill of Materials

https://ntia.gov/files/ntia/publications/ntia_sbom_energy_jan2021overview_0.pdf

2 of 15

Executive Order 14028

2

Photo by Tabrez Syed on Unsplash

Software Bill of Materials (SBOM) Generation

3 of 15

From EO 14028

4 of 15

What is a Software Bill of Materials (SBOM)

  • An SBOM is a formal, machine-readable and human-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships 🡺 transparency.
  • SBOMs help an organizations to:
    • Understand the components—and the security posture—of the software they create or use
    • Identify and avoid known vulnerabilities
    • Identify security and license compliance requirements
  • Minimum depth in the dependency tree = 1 layer deep … work is in progress to make SBOMs more complete, recurse up the dependency tree

5 of 15

SBOM Standards

  • SBOMs have been worked on for a decade – just prominent now
  • Central bodies:
    • US National Telecommunications and Information Administration (NTIA) – US Dept of Commerce (historical)
    • US Cybersecurity and Infrastructure Security Agency (CISA)
  • Primary Standards:
    • Linux Foundation Software Package Data Exchange® (SPDX®): https://spdx.github.io/spdx-spec/
    • OWASP CycloneDX: https://cyclonedx.org
    • Also mentioned: Software Identification (SWID) tagging
    • Text, json, xml, yaml

6 of 15

What’s a SBOM for?

6

Yingyaipumi/stock.adobe.com

Seventyfour i/stock.adobe.com

A good SBOM should allow organizations to answer questions like, “Am I vulnerable to the CVE-2022-22965 (Spring4Shell) vulnerability?”

7 of 15

SBOM Formats

8 of 15

JuiceBox SBOM

9 of 15

Exercise

  • Go to the class schedule and to the Software Bill of Materials exercise

10 of 15

Any concerns with/reaction to SBOM?

Stock.adobe.com/inesbazdar

11 of 15

Open-source SBOM Generation Tools

https://www.wiz.io/academy/top-open-source-sbom-tools

12 of 15

Vulnerability Exploitability eXchange (VEX)

  • VEX is a machine-readable artifact to allow a software supplier or other parties to assert the status of specific vulnerabilities in a particular product (similar to a security advisory)

https://www.cisa.gov/sites/default/files/2023-01/VEX_Use_Cases_Aprill2022.pdf

13 of 15

Vulnerability Exploitability eXchange (VEX)

https://www.cisa.gov/sites/default/files/2023-01/VEX_Use_Cases_Aprill2022.pdf

14 of 15

Any concerns with/reaction to VEX?

Stock.adobe.com/inesbazdar

15 of 15

Summary

  • Lots of focus on generating SBOM, tools emerging, SCA tools provide a lot of information
  • Exploitability/reachability can be questioned … do I really need to update?
    • VEX is intended to help handle this
    • This is a good research area!
  • SBOM production is getting better and better
    • Though comparison been tools can lead to questions
    • Some handle transitive/indirect dependencies different or not at all
  • SBOM sharing, SBOM consumption are pretty immature