The newly minted, and highly anticipated, cybersecurity executive order from President Biden, marks the strongest stance ever taken by the Federal government in an attempt to secure our nation's software supply chains from attack. For the first time in history, any company that sells software to the federal government will be required to provide not just the application -- but also a software bill of materials (SBOM) that provides transparency pertaining to the components that comprise the application.
The timing of the order is not coincidental; it follows the recent Solarwinds and Codecov software supply chain attacks, coincides with a 430% rise in attacks aimed at open source projects, and it was issued on the same day that witnessed massive shortages of gas at the pump for many Americans due to the cyber attack on Colonial Pipelines.
What does the executive order on cybersecurity say about SBOMs and secure development?
Biden's cybersecurity executive order calls for the Commerce Department's National Institute of Standards and Technology (NIST) to publish preliminary guidelines within six months for software supply-chain security, and final guidelines within a year. The guidance should include how to check for vulnerabilities, how to find evidence of flaws, ensuring up-to-date provenance of open source and source code, and instructions for using automated tools to validate trusted code.
What is a software bill of materials (SBOM)?
An SBOM is a list of ingredients (components) that make up a software application.
In today's world, too many organizations don't have a full picture of what's inside their software. Most aren't even looking. The fact is that fewer than 50% of companies today produce SBOMs as a standard practice in software development. At the same time, breaches tied to open source software components used in applications impact 1 in 5 organizations annually.
A basic tenet of any security program is to understand the component parts present in your systems, the risk associated with those component parts, and the relative severity of such risk. For software applications, this requires organizations to have an SBOM and full visibility of the open source components present in an application. An SBOM is the ONLY way to do this.
Not having an SBOM means that companies are blind to known-vulnerable open source components being shipped in their software applications. Further, without an SBOM, these same companies are guaranteed to struggle, much like Equifax did in 2017, to respond to new zero day vulnerability disclosures in open source components. With 10,000+ vulnerabilities announced annually, there are 10,000 very good reasons to have an SBOM for all of your production applications.
Why does this executive order matter?
Simply stated, the reason this order matters is because the Federal government is trying to shape the entire software market with the power of federal procurement.
As the Washington Post noted, "the order will have significant implications for the private sector."
"In so many areas of computer security, what the federal government does first, the private sector follows," said Ari Schwartz, managing director of cybersecurity policy at Venable, a law firm. "What the federal government is requiring here likely will become the standard for all software moving forward — not just in the United States but internationally."
Create a FREE software bill of materials now with the Sonatype Vulnerability Scanner.
