Supply Chain: The Role of Software Bills of MaterialsPatrick Dwyer of OWASP Says SBOMs Reduce Attack Surfaces
Software is like a Russian nesting doll: An application is usually composed of a variety of open-source and third-party code libraries wrapped together in complex ways.
Organizations often have no idea what's inside, which poses a threat if a vulnerability is found. But there's growing momentum around the use of software bills of materials, or SBOMs. These list all third-party code and dependencies within an application or device.
SBOMs are used in combination with platforms such as Dependency-Track, which allow for automated supply chain risk analysis, says Patrick Dwyer, an Australian software developer who works with OWASP on CycloneDX, which is one of three specifications for describing software components for SBOMs.
Automated supply chain analysis allows security teams to quickly make risk assessments about new vulnerabilities even if they're unsure exactly how they might be affected. "There's a whole lot of immediate action organizations can take to reduce that risk," Dwyer says.
A sweeping cybersecurity order signed earlier this month by President Joe Biden will require vendors to supply U.S. federal government agencies with SBOMs for purchased software. The requirement is one of several designed to increase supply chain security in the U.S. (see: Executive Order Focuses on Supply Chain Risk Management).
In this video interview with ISMG, Dwyer discusses:
- How SBOMs help organizations quickly discover and mitigate software vulnerabilities;
- How organizations can start with SBOMs on procurement projects;
- How SBOMs integrate with other platforms to support continuous analysis of software.
Dwyer is a member of the CycloneDX SBOM Specification Core Team and of OWASP, the Open Web Application Security Project. He is also software developer lead for a government council in Queensland, Australia.