How Agencies are Paving the Way for SBOMs
Agencies such as the State Department also have work to do as future SBOM consumers, said Louis Blazy, that agency’s Cybersecurity-Supply Chain Risk Management and Emerging Technologies Working Group lead, on Monday.
For starters, agencies haven’t drafted agreed-upon procurement language for requiring SBOMs in solicitations. They also haven’t figured out how to conduct software assurance reviews of SBOMs — a step that’s essential to using them, Blazy said.
Some agencies use artificial intelligence-based supply chain illumination tools supplemented by intelligence analysis of software vendors to reduce the amount of code they need to review. But that process has cost limitations.
“Probabilistic risk assessments within a C-SCRM area are an emerging need within the industry that is not being addressed,” Blazy said.
Ongoing Challenges with Open-Source Software
In the meantime, agencies continue to suffer attacks through open-source repositories such as GitHub and GitLab.
“We keep using code that we know is vulnerable because it’s cheap and it’s effective,” Blazy said. “You can provide delivery.”
Unfortunately, guidance on testing open-source software hasn’t matured accordingly, he added.
Some studies estimate as much as 90 percent of software products contain open-source components, Butera said.
CISA needs to make cyberdefense tools available to other agencies, so it tries to open-source as many of them as possible. As a result, the agency’s focus is on ensuring the most prevalent commercial and other open-source software it uses employs the right testing and secure development foundations and is properly resourced, Butera said.
To that end, CISA released its secure-by-design and default principles on April 13, which it wants to see applied to on-premises, mobile, cloud, IT and operational software, and possibly to hardware.
At the same time, CISA is trying to help small companies begin their secure-by-design journeys.
“There’s some work being done to try to create more open-source tools to help small companies do more secure coding,” Butera said.