Software

ETIC 2023: CISA Developing SBOM Ecosystem for Open-Source Software Visibility

Agencies still need to figure out how to require and use a software bill of materials.

Dave Nyczepir is a Senior Editor for Manifest.

The Cybersecurity and Infrastructure Security Agency is developing a software bill of materials ecosystem that companies can publish to, so agencies have greater visibility into software programming libraries, versions and underlying components.

Speaking at ACT-IAC’s Emerging Technology and Innovation Conference, CISA’s Technical Director for Cyber Christopher Butera said his agency needs vendor feedback to ensure future, more prescriptive SBOM guidance is feasible.

The government increasingly wants software vendors to provide SBOMs — machine-readable inventories of interrelated components — after witnessing the “cascading” effects of “significant” vulnerabilities in widely used open-source software, as with the Log4Shell vulnerability discovered in November 2021, Butera said. Getting vendors on board with CISA’s admittedly radical vision for software transparency and accountability will take time.

“There’s a ton of work to be done in the space,” Butera said. “And it requires the whole community to really join with us to help us move along.”

Follow the Story: Click the banner below to receive Insider content after the conference.

How Agencies are Paving the Way for SBOMs

Agencies such as the State Department also have work to do as future SBOM consumers, said Louis Blazy, that agency’s Cybersecurity-Supply Chain Risk Management and Emerging Technologies Working Group lead, on Monday.

For starters, agencies haven’t drafted agreed-upon procurement language for requiring SBOMs in solicitations. They also haven’t figured out how to conduct software assurance reviews of SBOMs — a step that’s essential to using them, Blazy said.

Some agencies use artificial intelligence-based supply chain illumination tools supplemented by intelligence analysis of software vendors to reduce the amount of code they need to review. But that process has cost limitations.

“Probabilistic risk assessments within a C-SCRM area are an emerging need within the industry that is not being addressed,” Blazy said.

LEARN MORE: Why continuous monitoring of open-source code and software is needed.

Ongoing Challenges with Open-Source Software

In the meantime, agencies continue to suffer attacks through open-source repositories such as GitHub and GitLab.

“We keep using code that we know is vulnerable because it’s cheap and it’s effective,” Blazy said. “You can provide delivery.”

Unfortunately, guidance on testing open-source software hasn’t matured accordingly, he added.

Some studies estimate as much as 90 percent of software products contain open-source components, Butera said.

CISA needs to make cyberdefense tools available to other agencies, so it tries to open-source as many of them as possible. As a result, the agency’s focus is on ensuring the most prevalent commercial and other open-source software it uses employs the right testing and secure development foundations and is properly resourced, Butera said.

To that end, CISA released its secure-by-design and default principles on April 13, which it wants to see applied to on-premises, mobile, cloud, IT and operational software, and possibly to hardware.

At the same time, CISA is trying to help small companies begin their secure-by-design journeys.

“There’s some work being done to try to create more open-source tools to help small companies do more secure coding,” Butera said.

To learn more about the 2023 ACT-IAC event, visit our conference page, and follow us on Twitter at @FedTechMagazine to see behind-the-scenes moments.