The Increasing Importance of SBOMs in Cybersecurity

May 25, 2022 · 5 min read

sbom

Introduction

The growing need for SBOMs in cybersecurity became obvious in 2021 when President Biden issued an executive order requiring them for all software used by federal agencies. A year before, the government and several large companies learned that a software supply chain attack had exposed sensitive data.

Although the advanced persistent threat came from software from at least three companies (Microsoft, VMware, and SolarWinds), SolarWinds drew most of the attention. Now, more companies are considering the role of SBOMs in cybersecurity, leading to changes that could influence how developers create and document software.

Packagecloud is the industry’s first platform to implement the SBOM framework. Start your free trial to see how it benefits your cybersecurity.

SBOMs Improve Transparency

A “software bill of materials” (SBOM) should include a structured document that lists every component, library, and module in a piece of software. The list improves transparency by letting developers see all of the components used to build software. Once you can see the supply chain relationships, it becomes much easier to spot potential vulnerabilities that could give hackers access to sensitive information.

Using SBOMs in cybersecurity doesn’t actually eliminate vulnerabilities. It does, however, let potential users view a list so they can search for known coding flaws. Developers still need to know how to identify vulnerabilities so they can avoid software that puts their organizations at risk.

Packagecloud makes it easier to identify vulnerable code by scanning and validating all of the packages in your repository. When Packagecloud finds a known risk, it can alert you to take a closer look or remove the vulnerable code from your repository before updates get pushed to machines on your network.

SBOMs Can Give You Security Scores

Unfortunately, not every developer will spend time reviewing all of the open-source and proprietary components listed in SBOMs. That negligence creates opportunities for vulnerable code to enter their repositories. Adding a security score increases the usefulness of SBOMs in cybersecurity.

Most developers prefer the common vulnerability scoring system (CVSS). CVSS does more than highlight components with potential vulnerabilities. It also identifies the threat’s severity. The latest CVSS v3.0 rating system uses the following categories:

Base Score Range	Severity
0.0	None
0.1–3.9	Low
4.0–6.9	Medium
7.0–8.9	High
9.0–10.0	Critical

By including severity scores, developers can understand a component’s threat level at a glance, making it much simpler to use SBOMs in cybersecurity.

Know the Limits of SBOMs in Cybersecurity

There is a significant place for SBOMs in cybersecurity. A software bill of materials cannot solve all of your security issues, though. Knowing the limitations of SBOMs in cybersecurity can help you use documents as intended instead of trying to rely on them for functions they cannot perform.

It Takes Time To Identify Vulnerabilities

SBOMs can only help you identify known vulnerabilities. Even when you pair SBOMs with Packagecloud, you can only expect the technology to tell you about flawed code that someone has discovered. Unfortunately, it can take quite a while for someone to discover vulnerabilities that could help hackers initiate software supply chain attacks.

The good news is that it becomes relatively easy to recognize problematic components once someone identifies them. It's especially easy with open-source components, which developers often use to add common features to proprietary software. With so many people using the open-source code, it doesn't take long for someone to spot the issue and report it.

Start your free trial with Packagecloud so you'll get alerts about the most recently discovered vulnerabilities.

Logic Bombs Can Go Unnoticed

Logic bombs often fly under the radar because they don't cause problems until they're triggered by a specific action. For example, they might sit quietly until someone integrates with another piece of software or reaches a certain number of users. Logic bombs are usually very small snippets of code that get inserted for malicious reasons. It's very similar to what happened in the SolarWinds attack. Your DevOps team might not notice the issues until the bomb gets triggered, even when they follow best practices.

Although there are limitations to SBOMs in cybersecurity, they still give vendors, users, and developers several opportunities to protect themselves from threats.

See How SBOMs in Cybersecurity Work With Packagecloud

Packagecloud is a cloud-based package distribution solution that lets you avoid the expense of updating your IT infrastructure. The platform also comes with several features that make it easier to work with SBOMs in cybersecurity. Packagecloud scans all of your packages and compares them to known cybersecurity threats, including supply chain poisonings and trojan horse attacks.

Packagecloud also offers private hosting for your repositories. You don’t have to worry about potential flaws in public repositories anymore. Now, you can always pull packages from a controlled environment.

Keep your packages and software supply chain secure by using Packagecloud. You can start a free trial to see how it works for your organization.