Software supply chain

Last updated

A software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artifact. [1]

Contents

Software vendors often create products by assembling open source and proprietary software components. A software bill of materials [2] (SBOM) declares the inventory of components used to build a software artifact such as a software application. [3] It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them.

The concept of a BOM is well-established in traditional manufacturing as part of supply chain management. [4] A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.

Usage

An SBOM is useful both to the builder (manufacturer) and the buyer (customer) of a software product. Builders often leverage available open-source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. [5] Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.

While many companies just use a spreadsheet for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. SBOMs gain greater value when collectively stored in a repository that can be a part of other automation systems, easily queried by other applications. This need for automated SBOM processing is addressed by various software vendors, especially those making use of open document standards.

Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk. [6] [7] [8]

Legislation

The Cyber Supply Chain Management and Transparency Act of 2014 [9] was US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase. It also would have required obtaining SBOMs for "any software, firmware, or product in use by the United States Government". Though it ultimately didn't pass, this act did bring awareness to government and spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017." [10] [11]

The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021 [12] ordered NIST to issue guidance within 90 days to "include standards, procedures, or criteria regarding" several topics in order to "enhance the security of the software supply chain," including "providing a purchaser a Software Bill of Materials (SBOM) for each product." Also mandated within 60 days was for NTIA to "publish minimum elements for an SBOM."

The NTIA minimum elements were published on July 12, 2021, [13] and also "describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution." The minimum elements consist of three broad categories: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs). The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of Software Composition Analysis (SCA) solutions. [14]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security, or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

<span class="mw-page-title-main">Rockwell Automation</span> American industrial automation provider

Rockwell Automation, Inc. is an American provider of industrial automation and digital transformation technologies. Brands include Allen-Bradley, FactoryTalk software and LifecycleIQ Services.

<span class="mw-page-title-main">Bill of materials</span> List used in manufacturing

A bill of materials or product structure is a list of the raw materials, sub-assemblies, intermediate assemblies, sub-components, parts, and the quantities of each needed to manufacture an end product. A BOM may be used for communication between manufacturing partners or confined to a single manufacturing plant. A bill of materials is often tied to a production order whose issuance may generate reservations for components in the bill of materials that are in stock and requisitions for components that are not in stock.

Commercial-off-the-shelf or commercially available off-the-shelf (COTS) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of custom-made, or bespoke, solutions. A related term, Mil-COTS, refers to COTS products for use by the U.S. military.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">Ivanti</span> American IT software company

Ivanti is an IT software company headquartered in South Jordan, Utah, United States. It produces software for IT Security, IT Service Management, IT Asset Management, Unified Endpoint Management, Identity Management and supply chain management. It was formed in January 2017 with the merger of LANDESK and HEAT Software, and later acquired Cherwell Software. The company became more widely known after several major security incidents related to the VPN hardware it sells.

An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems (DCSs) with many thousands of field connections. Control systems receive data from remote sensors measuring process variables (PVs), compare the collected data with desired setpoints (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

<span class="mw-page-title-main">ProductCenter</span>

ProductCenter is a commercial software product, that is an integrated suite of Product Lifecycle Management (PLM) software for managing product data. The software was engineered for the Microsoft Windows and UNIX operating systems. Along with core applications, it includes localized and web-based services. ProductCenter is suited for managing various types of CAx data, but it can be used for many forms of data management and product management.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

<span class="mw-page-title-main">Cyber Intelligence Sharing and Protection Act</span> Unpassed United States bill

The Cyber Intelligence Sharing and Protection Act was a proposed law in the United States which would allow for the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The stated aim of the bill is to help the U.S. government investigate cyber threats and ensure the security of networks against cyberattacks.

Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM). SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software. Its original purpose was to improve license compliance, and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security. SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

<span class="mw-page-title-main">Cybersecurity Information Sharing Act</span>

The Cybersecurity Information Sharing Act is a United States federal law designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate on October 27, 2015. Opponents question CISA's value, believing it will move responsibility from private businesses to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.

The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

It is a common software engineering practice to develop software by using different components. Using software components segments the complexity of larger elements into smaller pieces of code and increases flexibility by enabling easier reuse of components to address new requirements. The practice has widely expanded since the late 1990s with the popularization of open-source software (OSS) to help speed up the software development process and reduce time to market.

<span class="mw-page-title-main">Cyber Resilience Act</span> Proposed cybersecurity regulation in the EU

The Cyber Resilience Act (CRA) is an EU regulation proposed on 15 September 2022 by the European Commission for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates. Products with digital elements mainly are hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network".

References

  1. "For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security" (PDF). USENIX ;login. Archived (PDF) from the original on 2022-12-17. Retrieved 2022-07-04.
  2. "Software Bill of Materials". ntia.gov. Archived from the original on 2022-11-30. Retrieved 2021-01-25.
  3. "[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2015-06-14. Retrieved 2015-06-12.
  4. "Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2014-12-30. Retrieved 2015-06-12.
  5. "Software Bill of Materials improves Intellectual Property management". Embedded Computing Design. Archived from the original on 2018-08-25. Retrieved 2015-06-12.
  6. "Appropriate Software Security Control Types for Third Party Service and Product Providers" (PDF). Docs.ismgcorp.com. Archived (PDF) from the original on 2023-01-19. Retrieved 2015-06-12.
  7. "Top 10 2013-A9-Using Components with Known Vulnerabilities". Archived from the original on 2019-10-06. Retrieved 2015-06-12.
  8. "Cyber-security risks in the supply chain" (PDF). Cert.gov.uk. Archived from the original on 2023-06-06. Retrieved 2020-07-28.
  9. "H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress". 4 December 2014. Archived from the original on 2022-12-16. Retrieved 2015-06-12.
  10. "Internet of Things Cybersecurity Improvement Act of 2017" (PDF). Archived (PDF) from the original on 2023-01-19. Retrieved 2020-02-26.
  11. "Cybersecurity Improvement Act of 2017: The Ghost of Congress Past". 17 August 2017. Archived from the original on 2022-12-16. Retrieved 2020-02-26.
  12. "Executive Order on Improving the Nation's Cybersecurity". The White House. 2021-05-12. Archived from the original on 2021-05-15. Retrieved 2021-06-12.
  13. "The Minimum Elements For a Software Bill of Materials (SBOM)". NTIA.gov. 2021-07-12. Archived from the original on 2023-06-05. Retrieved 2021-12-12.
  14. "NTIA Releases Minimum Elements for a Software Bill of Materials". NTIA.gov. 2021-07-12. Archived from the original on 2022-11-22. Retrieved 2022-03-22.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.