I was listening to the Cloud security Podcast in my car. My daughter was in the car and I was explaining about the Bill Of Materials . It struck me that we have Bill Of Materials for the Car that helps the manufactures and consumers . Why was it so hard for the Software Applications to do the same ?
BOM : In car assembly, various components from different suppliers are brought together to create a finished vehicle. Each component, such as the engine, transmission, brakes, and electrical systems, comes from different manufacturers and may have their own supply chains. Without proper documentation and tracking, it can be challenging to have visibility into the origins, specifications, and potential issues of these components.
SBOM : Leverages the same capabilities for any Software component . SBOM would provide a comprehensive inventory of the software components used. It would also include information on the dependencies and versions of third-party software libraries and frameworks used.
Supply Chain Management and Risk : Automotive manufacturers today has good visibility on the supply chain. They can identify the components used, their sources, and their versions. This enables them to ensure the quality when building the car. When there are issues with the supply chain , they can find out risk associated with them and find alternatives for those components. SBOM has address the similar issues with the dependent software and the risk associated with them .
Vulnerability Management - Build Cycle : Manufacturers can monitor security advisories and updates related to the components listed in the BOM.
Similarly SBOM provides visibility into the software components and their dependencies, which helps in identifying known vulnerabilities.Software owner can find vulnerability on all the dependent software , the can quickly assess which software are affected and find the libraries that needs to be updated. This can be integrated to the software build process cycle so that the Vulnerabilities are not introduced initially .
Vulnerability Management - Post Build : When a software vulnerability or issue is identified, an SBOM allows for targeted and efficient component replacement. Car industry today can pinpoint the specific components that need to be updated or replaced when there is a recall.Similarly Vulnerability Management can quickly find the exact software that needs to be fixed patched based on new Vulnerability identified
Compliance and Auditing: An SBOM also helps in meeting regulatory requirements and facilitating audits. It provides a transparent record of the software components used, making it easier to demonstrate compliance with industry standards and regulations. In case of an audit or investigation, the SBOM serves as a documented proof of the software supply chain and its compliance.
Lifecycle Management: Throughout the lifecycle of a car, software updates and improvements are released. An SBOM aids in managing these updates by providing a clear picture of the software components and their versions. It ensures that the correct updates are applied to the specific components in the car, promoting performance improvements, bug fixes, and security enhancements.
Enforcement is required as it's effective only if the dependent software also follows SBOM.
Presidential Action on SBOM :
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
No comments:
Post a Comment