1 of 16

Laurie Williams

Laurie_williams@ncsu.edu

1

Software Bill of Materials

https://ntia.gov/files/ntia/publications/ntia_sbom_energy_jan2021overview_0.pdf

2 of 16

Exam Information

  • Covers the material through today’s lecture�
  • Answer key to sample exams will not be distributed, but you can work together on the answers and post questions to Piazza … you learn by doing/talking :) �
  • You can bring one sheet of types/handwritten notes, both sides (or two one-sided). Put your name on the sheet. You will turn it in. �
  • A Study Guide is in progress. I will post on Piazza when it’s done. It’s also linked to Lecture 11 (where the sample exams are).�
  • Study your notes and workshops.�
  • The exam will be administered via Gradescope (001) or paper/proctored (601).

3 of 16

Executive Order 14028

3

Photo by Tabrez Syed on Unsplash

Software Bill of Materials (SBOM) Generation

4 of 16

From EO 14028

5 of 16

What is a Software Bill of Materials (SBOM)

  • An SBOM is a formal, machine-readable and human-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships 🡺 transparency.
  • SBOMs help an organizations to:
    • Understand the components—and the security posture—of the software they create or use
    • Identify and avoid known vulnerabilities
    • Identify security and license compliance requirements
  • Minimum depth in the dependency tree = 1 layer deep … work is in progress to make SBOMs more complete, recurse up the dependency tree

6 of 16

SBOM Standards

  • SBOMs have been worked on for a decade – just prominent now
  • Central bodies:
    • US National Telecommunications and Information Administration (NTIA) – US Dept of Commerce (historical)
    • US Cybersecurity and Infrastructure Security Agency (CISA)
  • Primary Standards:
    • Linux Foundation Software Package Data Exchange® (SPDX®): https://spdx.github.io/spdx-spec/
    • OWASP CycloneDX: https://cyclonedx.org
    • Also mentioned: Software Identification (SWID) tagging
    • Text, json, xml, yaml

7 of 16

What’s a SBOM for?

7

Yingyaipumi/stock.adobe.com

Seventyfour i/stock.adobe.com

A good SBOM should allow organizations to answer questions like, “Am I vulnerable to the CVE-2022-22965 (Spring4Shell) vulnerability?”

8 of 16

SBOM Formats

9 of 16

10 of 16

Exercise

  • Go to the class schedule and to the Software Bill of Materials exercise

11 of 16

Any concerns with/reaction to SBOM?

12 of 16

Open-source SBOM Generation Tools

https://www.wiz.io/academy/top-open-source-sbom-tools

13 of 16

Vulnerability Exploitability eXchange (VEX)

  • VEX is a machine-readable artifact to allow a software supplier or other parties to assert the status of specific vulnerabilities in a particular product (similar to a security advisory)

https://www.cisa.gov/sites/default/files/2023-01/VEX_Use_Cases_Aprill2022.pdf

14 of 16

Vulnerability Exploitability eXchange (VEX)

https://www.cisa.gov/sites/default/files/2023-01/VEX_Use_Cases_Aprill2022.pdf

15 of 16

Any concerns with/reaction to VEX?

16 of 16

Summary

  • Lots of focus on generating SBOM, tools emerging, SCA tools provide a lot of information
  • Exploitability/reachability can be questioned … do I really need to update?
    • VEX is intended to help handle this
    • This is a good research area!
  • SBOM production is getting better and better
    • Though comparison been tools can lead to questions
    • Some handle transitive/indirect dependencies different or not at all
  • SBOM sharing, SBOM consumption are pretty immature