Technology Pro Tip: Ask for a Software Bill of Materials
With the rise of supply chain attacks, getting a stronger handle on what’s in the enterprise tools you buy could save you headaches down the line. It’s a strategy the White House endorses.
Associations often work closely with industry partners and technology vendors, and while they may be paying for the vendor’s services, they may also be indirectly paying for the tools and services that the vendor relies on.
Given the current security landscape, should your association be aware of how your tech supply chain works? Now is a good time to ask.
What’s the Strategy?
Associations looking to sign on the dotted line should ask the vendor for a dash of transparency—something called a software bill of materials (SBOM). The idea is similar to a nutrition label on a box of cereal: Those who want to know where their software is coming from—whether an open-source project, a proprietary tool, a cloud-based vendor—can see it easily without having to dig deep.
This approach has the backing of no less than the White House, which released an executive order this year calling on federal contractors to provide “a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.”
While optional for federal contractors, the order came on the heels of the Colonial Pipeline incident, in which ransomware took down a major fuel distributor on the East Coast.
Why Is It Effective?
It’s timely, as security is front of mind for many organizations, associations included. Supply chain attacks, such as Colonial Pipeline and SolarWinds, are seen as an increasing security risk for many organizations. Because they’re indirect, they can infiltrate systems that are otherwise secure.
By understanding the software your vendors use, you can better manage your infrastructure. The result: When a security issue emerges, you can adjust more effectively.
(It’s also effective for the vendors, by the way: An Intel study from this year found that 73 percent of respondents were more likely to go with companies that were proactive on cybersecurity risk—which 48 percent of the respondents’ providers aren’t.)
What’s the Potential?
This might sound like a complicated process of accounting, but technology is emerging to make it a bit more user-friendly.
The Linux Foundation is working on the Software Package Data Exchange to make the process easier to follow, similar to how nutrition labels are standardized. Additionally, new tech efforts are emerging to verify and notarize SBOMs so they can be trusted.
One such service, the Codenotary Community Attestation Service, was announced last month. Writing in ZDNet, tech journalist Steven J. Vaughan-Nichols explained that this could help instill trust in the enterprise.
“This, unlike other SBOM systems, makes no guarantee about the safety of the components in your program,” he wrote. “What it does do is assure your customers that the programs, code, libraries, container images, and so on truly are the ones you’ve promised them. This is no small thing.”