Given the significant cyber security problems that the SolarWinds, Log4j and other software supply chain infections created over the past two years, it's no surprise that software security emerged as a hot topic at this year's RSA conference.
Ahead of the event, ReversingLabs released a survey it commissioned of over 300 senior software employees on the struggles their firms face in detecting supply chain attacks.
Despite the recent spate of high-profile software supply chain security incidents, the ReversingLabs study found that fewer than four in ten companies say they can detect tampering with developed code. In addition, less than 10 per cent of companies are reviewing software at each product lifecycle stage for evidence of tampering or compromises.
SBOM usage is sparse but expected to grow rapidly
When it comes to one crucial emerging tool that can better ensure software security, a software bill of materials (SBOM), ReversingLabs survey found that only 27 per cent of the IT professionals surveyed said their employer generates and reviews SBOMs before releasing software.
Of those respondents who do not develop SBOMs, 44 per cent cited a lack of expertise and staffing needed to do so, while 32 per cent cited a lack of budget for implementing SBOM. Only seven per cent of respondents at companies that don't produce SBOMs said the reason was that an SBOM wasn't needed.
The sparse usage of SBOMs is quickly becoming a thing of the past for two primary reasons, Allan Friedman, senior advisor and strategist at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told RSA attendees. First, because of events like SolarWinds, organisations are starting to demand SBOMs for the software they use as a security measure to identify problematic code.
Second, under President Biden's cyber security executive order issued last year, any company that sells software to the federal government will be mandated to provide a complete SBOM.
"If you want to have a secure development process, it's very hard to say that you have one if you are not tracking your [software] dependencies," Friedman said. "If you are in the business of buying software or selecting open-source components, you need to understand supply chain risks. You need to understand vulnerability risks.
"And, of course, to do that, you need to know what's under the hood. For those of us who operate software, we need to understand what's in there so that when a new risk emerges, we can react quickly and efficiently."
Kate Stewart, vice president, Dependable Embedded Systems at the Linux Foundation, said that despite the low adoption rate of SBOMs now, roughly 78 per cent of the companies the Foundation surveyed said they're going to be using SBOMs this year. "People are tooling up. They are getting ready internally and externally," she said.
New SBOM tools emerging
Friedman thinks that as SBOMs increase over the coming year, many new tools are going to emerge that make the adoption of SBOMs easier.
"Different solutions are going to emerge," he said. "So, whatever we're building to support the tooling ecosystem needs to acknowledge that in a year or two, there will be a whole bunch of tools that don't exist today."
An essential point for Stewart is that whatever tools are developed to make it easier to create and store the data that SBOMs need, open source software suppliers aren't overlooked in the mix. "We need to make sure that the solutions we put in place for companies are going to work well for the open-source community and that we have tooling there," she told the conference attendees.
Transparency in the SBOM tooling ecosystem is critical
According to Friedman, transparency in the SBOM tooling ecosystem is critical to help drive security and innovation. "The goal here is to create a common frame of reference so that we know, 'Hey, we're talking about this kind of tool, we're talking about that kind of tool.' These two tools have slightly different features."
Stewart said that the ability to find the right SBOM tools is limited, which is a challenge for the year ahead. "You can find these tools that are out there today, but is it sufficient? Is it nice and structured? Can I go to one place and search for all of it? No, we don't have that yet."
Another challenge facing SBOM adoption is the importance of applying SBOM to the cloud. "We know that we're heading to the cloud environment, SaaS environment. So, we need to understand what SBOM looks like" in those environments, Friedman said.
SBOM won't work well without good asset management, which, although fundamental to cyber security overall, is a chronic problem for most organisations.
"SBOM isn't terribly helpful if we don't have a good asset management solution," Friedman said. "I used to begin my SBOM talks by saying, if you are in an organisation that doesn't have a good asset management story, please leave right now."
Trust in software is a dynamic process
One of the challenges of modern software is that, unlike in the past when trust was binary, today trust is a dynamic process, Tony Sager, senior vice president and chief evangelist, Center for Internet Security, told RSA attendees.
"Why do we have complicated supply chains?" he asked. "The answer to that is efficiency. We're trying to control costs. By doing that, you're pushing complexity down another level. We can have suppliers all over the world, but at the same time, we don't know who any of them is. This is not about a binary condition. Trust becomes a dynamic condition."
Steve Lipner, executive director at SAFEcode, sees three primary threats to software supply chain security. The first is a malicious supplier. "If I've got somebody in my supply chain, who I am relying on and who is trying to do me in, I'm in big trouble," he said. "There is no easy way to evade that. I'm probably not going to be able to mitigate that."
The second threat is buggy or vulnerable software, "all the usual things that people worry about under the rubric of software security." The third problem is the unauthorised modification in development or delivery, which is what happened in the case of SolarWinds.
"The point is addressing the malicious supplier doesn't address the buggy software, and addressing the buggy software doesn't address unauthorised modification," Lipner said." So, it's really a three-part problem. Everybody in the supply chain has the same set of problems."
SolarWinds CEO offers a unique solution
SolarWinds CEO Sudhakar Ramakrishna offered a unique solution to the problem of software security at the conference: Every software or technology company should hire an employee dedicated to supporting CISA.
"The only way our industry will be able to effectively respond to the evolving threat landscape is through a true partnership between the public and private sectors," he said.
"Today, we are calling on the entire software industry to join us in this effort and encourage every software or technology company in the U.S. to commit one full-time employee to work under the guidance and direction of CISA to support both threat intelligence and information sharing. SolarWinds has made this commitment and my hope is other companies will join us in this endeavour."