Software is essential to our lives in today’s digital world, from communication to national security. The ecosystem of software in India is expanding rapidly and has numerous applications. Software must be secured to maintain its integrity, and SBOMs are essential in achieving this goal.
Note: Alongside introducing the Expliot Framework for SBOM creation, this blog underlines SBOM’s significance today and its indispensable role in safeguarding India’s software ecosystem.
Imagine the government and private companies asking for your product’s SBOM to ensure compliance. What’s the significance of SBOMs in this context, and how are they becoming crucial in diverse sectors? Let’s take a deep dive into the world of SBOMs and uncover their transformative role.
What is a Software Bill of Materials?
A software application’s components, dependencies, and libraries are listed in a formal document called a software bill of materials (SBOM). It gives crucial information about each component, including version numbers, licensing data, and known vulnerabilities. SBOMs provide a clear and simple view of the software supply chain for an application, aiding businesses in efficiently managing and securing their software.
What is a supply chain attack, and why is it important for SBOM?
When attackers compromise and tamper with the components or dependencies utilized in an application, they breach the software supply chain and execute a supply chain attack. Unauthorized access, data breaches, financial losses, and reputational harm to an organization are all possible outcomes of such attacks. Because they offer a visible inventory of all software components utilized in an application, SBOMs are essential for reducing the risk of supply chain attacks by aiding organizations in understanding and evaluating potential vulnerabilities.
A few well-known supply chain attacks up to 2023
What makes the SBOM important?
The software supply chain’s complexity and the reuse of code have made it crucial to inventory all components used in applications to detect and resolve vulnerabilities. SBOMs help avoid reusing vulnerable components, discover vulnerabilities in current applications, and manage software supply chain risk. They aid in compliance with data protection regulations, vendor selection, and maintaining app inventories. By detecting vulnerabilities early in the SDLC, SBOMs save time and resources. The U.S. government’s executive order on software supply chain security has spurred commercial enterprises to take action.
White House Executive Order on Improving the Nation’s Cybersecurity
Features of the SBOM
- Comprehensive Component Identification:
- SBOMs provide a detailed inventory of all the components and dependencies used in an application.
- Version tracking:
- SBOMs keep track of each component’s version number to ensure businesses are aware of any outdated or vulnerable software.
- Vulnerability management:
- By identifying known vulnerabilities related to particular software components, SBOMs enable organizations to give these issues top priority and deal with them at the earliest.
- Continuous Monitoring:
- SBOMs make it possible to continuously monitor the software supply chain, ensuring that any modifications or newly discovered vulnerabilities are quickly found and fixed.
- Building Trust with Customers:
- With data breaches and cyber-attacks making headlines regularly, customers are increasingly concerned about the security of the software products they use.
- The tool is scalable and capable of managing large volumes of software components across multiple applications.
SBOM’s importance to the SDLC
By increasing transparency, security, and efficiency at all phases of software development and deployment, the Software Bill of Materials (SBOM) plays an important part in the Software Development Life Cycle (SDLC). The contribution of SBOM to various stages of SDLC is as follows:
- Requirement Analysis:
- SBOM can be used to find potential dependencies on open-source libraries and third-party components while creating the requirements for a software project. As a result, the development team may make plans knowing which software components they will be using.
- Design Phase:
- The development team can make wise choices about software components during the design process by taking into account elements like licensing, security flaws, and compatibility. In order to help architects create systems with a better grasp of the software supply chain, SBOM offers a clear perspective of dependencies.
- Development Phase:
- Developers can write secure, compliant code with the help of SBOM. To learn which components are being used and to take the appropriate safety measures, they can consult the SBOM. In order to assure compliance with open-source licenses and prevent legal problems, it also aids in tracking licenses.
- Testing Phase:
- Testing and vulnerability management are made easier by SBOM. Security teams can execute targeted testing on components with possible security risks and cross-reference the SBOM with known vulnerabilities. Early on in the SDLC, this proactive approach aids in identifying weaknesses.
- Deployment Phase:
- The SBOM offers an extensive list of all the parts that will be in the finished product before deployment. This makes it easier to produce correct documentation, assist compliance initiatives, and guarantee that the application is configured as intended before deployment.
- Maintenance and Updates:
- Updates, patches, and security fixes are essential during the course of software development. With its explicit component inventory, SBOM aids in controlling these changes. The SBOM assists in identifying the affected components when vulnerabilities are found, enabling faster improvement and lowering the possibility of security breaches.
- Supply Chain Management:
- It’s critical to keep an eye on the software supply chain because software frequently uses third-party components. SBOM enables the ongoing monitoring of components and the hazards they entail. Over time, this becomes essential for maintaining the software’s security and integrity.
- Auditing and Compliance:
- One of the most important factors in software development is regulatory compliance. By giving proof of the software’s parts and their licenses, SBOM helps with compliance. To demonstrate compliance with legal and security standards, this information can be shared with auditors and regulators.
- Risk Mitigation:
- SBOM assists in identifying and controlling risks carried out by third-party components. Development teams may immediately evaluate the impact of recently found vulnerabilities and take the necessary steps to minimize potential risks by keeping an updated SBOM.
- Post-Incident Analysis:
- An accurate SBOM can help determine the scope of a security compromise and its effects on the software ecosystem in the unfortunate case of a breach or incident. For post-incident analysis and recovery, this data is useful.
By incorporating SBOM into the SDLC, development teams are given an in-depth knowledge of the software’s structure, which aids in decision-making, risk mitigation, security enhancement, and compliance maintenance.
Following are a few real-world cases of the use of Software Bill of Materials (SBOM) and its importance in various Indian sectors:
- IT Products and Services:
- A new financial management application is being developed by an Indian software business. They use SBOMs to ensure the security and transparency of their software supply chain. They use tools that generate a comprehensive catalogue of all open-source and third-party components used in their software, including information about their dependencies and known security flaws. Thanks to this, they can handle any security threats and keep up with licensing laws.
- Critical Infrastructure (ICS/SCADA) Manufacturing:
- Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are used by a manufacturing plant in India to manage production operations. To keep track of the libraries, firmware, and software parts used, they create SBOMs for these systems. They can rapidly recognize the affected components in the event of any security flaws or updates and take the required precautions to reduce risks.
- Healthcare & Medical Services:
- An Indian company that specialises in healthcare technology creates software and medical devices for patient monitoring. They use SBOMs in the software of their devices to assure compliance with rules, simplify maintenance, and enhance patient safety. They can quickly alert healthcare professionals and patients about software flaws or vulnerabilities and advise them to take the appropriate safety measures.
- Advanced driver assistance systems (ADAS), engine management, and other services are all built into the cars made by an Indian manufacturer using cutting-edge software. They can maintain track of the software elements used in various automotive systems by implementing SBOMs. This enables them to effectively manage recalls and quickly respond to possible security flaws.
- BFSI & Fintech:
- An Indian financial organization provides fintech and internet banking services. They use SBOMs to keep track of the software components that make up their apps, assuring security and compliance with laws. They may immediately fix any vulnerabilities found in any component, preventing possible breaches and financial damage.
- Voice, data, and video communication are just a few of the services offered by an Indian telecommunications business. To keep track of the software elements that make up their network infrastructure and services, they use SBOMs. They are able to maintain network security, stability, and compliance with data privacy laws, thanks to this. They can take the necessary steps to protect the data and services of their clients if any vulnerabilities are found.
If India does not implement SBOM in both government entities and private sectors, it would result in significant implications:
The absence of SBOM implementation in both government entities and private sectors in India would result in significant consequences. It would lead to heightened cybersecurity risks, inadequate supply chain security, regulatory compliance challenges, inefficient vulnerability management, impaired trust and customer confidence, and increased financial and operational risks. Organizations would struggle to identify vulnerabilities, track software components, and demonstrate compliance. This leaves systems vulnerable to cyberattacks, compromises trust and exposes them to legal and financial repercussions. It is essential for India to swiftly implement SBOM to enhance cybersecurity, protect sensitive data, ensure regulatory compliance, and maintain public trust in both government and private sectors.
SBOM standards define common formats for representing SBOM data. Some widely used standards include:
- CycloneDX by OWASP:
- Focus: Lightweight, user-friendly SBOM format.
- Details Included: Component info, versions, licenses, vulnerabilities.
- Purpose: Enhance transparency and security in the software supply chain.
- Developed by: CycloneDX OWASP community and contributors.
- SPDX (Software Package Data Exchange):
- Focus: Standardize software package information sharing.
- Included Metadata: Software packages, licenses, copyrights.
- Purpose: Streamline software asset management and sharing.
- Developed by: Linux Foundation, SPDX workgroup.
- SWID (Software Identification):
- Use: Uniquely identify software components.
- Details: Software name, version, publisher.
- Benefit: Boost software asset management and supply chain security.
- Developed by: ISO/IEC JTC 1 (Joint Technical Committee 1) and IEEE (Institute of Electrical and Electronics Engineers) under the ISO/IEC 19770 standard series.
Introducing EXPLIoT v0.10.0 Tool for SBOM Generation
EXPLIoT is a Framework for security testing and exploiting IoT products and IoT infrastructure. It provides a set of plugins (test cases) used to perform the assessment and can be extended easily with new ones. The name EXPLIoT (pronounced expl-aa-yo-tee) is a pun on the word exploit and explains the purpose of the framework, i.e. IoT exploitation.
It is written in Python.
EXPLIoT SBOM Plugin for IoT Compliance
It is essential to guarantee the security and compliance of IoT products in the quickly developing IoT landscape. With the rapid uptake of IoT, it is now essential to protect these devices from potential threats and follow the legal guidelines governing their production, development, and use.
IoT-specific rules and standards are being developed by governments and nonprofits around the world to protect security and privacy in these items. The need for tools and automation solutions to help comply with these standards develops as the sector works towards compliance.
This need is addressed by the EXPLIoT Framework, which aims to make IoT compliance verification simpler. This programme aims to gradually roll out compliance plugins and modules to help the community efficiently meet these criteria.
Compliance Modules: CycloneDX
We have incorporated CycloneDX SBOM generation for the firmware filesystem.
This plugin generates an SBOM (Software Bill Of Material) from the firmware file system that conforms to the CycloneDX SBOM Specification. CycloneDX is an open specification for generating SBOMs. More details can be found here – CycloneDX.
ef> run firmware.linux.gencdxbom -h
Sample SBOM Output Examples:
Generate CycloneDX SBOM from an extracted firmware filesystem and write (
-f) the SBOM JSON to a file.
You can also use the verbose (
-v) option to see the SBOM details. Please note that this output is only for viewing and does not conform to CycloneDX Spec.
CycloneDX Property Taxonomy
CycloneDX maintains a property namespace taxonomy – CycloneDX Property Taxonomy, which is used to define custom properties.
EXPLIoT Namespace Taxonomy
EXPLIoT introduces its dedicated namespaces for specialized properties.
- Property: expliot:file
- Description: Namespace for properties specific to files
expliot:file Namespace Taxonomy
- Property: expliot:file:path
- Description: The path of the file in the package (software, firmware etc.)
- Property: expliot:file:mode
- Description: The file mode string as on a Linux system (rwx)
- Property: expliot:file:size
- Description: The size of the file in bytes
As IoT compliance becomes an ever-more pressing concern, the EXPLIoT SBOM Plugin contributes to simplifying the compliance verification process. By integrating standards like CycloneDX and maintaining precise property taxonomies, EXPLIoT plays a pivotal role in ensuring IoT devices meet the required security and regulatory criteria.
Basic SBOM structures in CycloneDX format are provided by the EXPLIoT framework, but if you’re interested in a more complete SBOM with installed package detection, package version detection, and CVE detection, take a look at Iotauditor from expliot.io.
- It creates an SBOM with all of this information.
- Version detection
- CVE’s detection
- Package detection
Please remember that IotAuditor is a commercial product while EXPLIoT Framework is open source. We’ll soon add more features in the IOT auditor and Expliot framework.
Here are the other SBOM (Software Bill of Materials) tools widely used in the industry:
- Scribe Security: To continuously testify to the security and integrity of software, comprehensive SBOM management must include creating, managing, and exchanging SBOMS.
- Katana: Real-time inventory control, industrial process automation, and master planning.
- Mend: People wishing to use a variety of SCA tools, such as automatic responses
- JFrog Xray: JFrog Xray is an advanced DevSecOps tool that provides SBOM analysis, vulnerability scanning, and artefact repository management.
- CodeNotary: SBOMs in real-time compiled on a single dashboard
- Snyk: Snyk offers a range of developer-focused tools, including SBOM generation, vulnerability scanning, and open-source dependency management.
- Black Duck by Synopsys: Black Duck provides robust SBOM capabilities, vulnerability analysis, and compliance monitoring for open-source components used in software development.
- FOSSA: FOSSA specializes in open-source license compliance and vulnerability management, providing SBOM generation, dependency analysis, and risk assessment.
- Dependency-Track: Dependency-Track is an open-source SBOM tool that integrates with vulnerability databases, providing continuous monitoring and analysis of software components.
- SourceClear: SourceClear offers SBOM generation, vulnerability detection, and policy enforcement to help organizations manage their software supply chain and mitigate security risks.
In conclusion, the use of SBOMs appears as a keystone for secure, open, and resilient software practices as India navigates its digital revolution. India is well-positioned to improve its digital foundation and future-proof its technology endeavours by understanding the importance of SBOM and integrating it across multiple industries.
- Aseem Jakhar
- Expliot Team
- Payatu Team
- CycloneDx by Owasp