Article by Deb Radcliff, DevSecOps analyst and editor of CodeSecure’s TalkSecure educational content (distributed on Security Boulevard and YouTube)
At last month’s RSA Security Conference (RSAC), a number of vendors and speakers spoke about Software Bill of Materials (SBOM), which we covered in our follow-up article from RSAC.
An interview with SBOM experts Dick Brooks and Joseph Silvia reveals why SBOM has become a trend at RSAC, which is typically a security conference and not a software product development show. Brooks and Silvia explain how SBOM data can help with security operations beyond DevSecOps and product selection, specifically security operations, response, and compliance. The two focus on embedded systems and supply chain risk management and participate in various SBOM working groups.
Joseph Silvia has worked in the manufacturing and medical device industries for decades and has served on various supply chain and SBOM working groups including NIST (National Institute of Standards and Technology), CISA (Cybersecurity and Infrastructure Security Agency), Linux Foundation, and OWASP (Open Worldwide Application Security Project).
“Often, there is no proper bill of materials for this form factor of ‘Internet of Medical Things’, which is why these devices are deployed in hospitals,” says Silvia. “The SBOM helps security teams proactively manage security risks, prioritize patches, and comply with regulations such as the EU Medical Device Regulation (EMDR).”
Over the years, Sylvia met Dick Brooks and the two ended up serving on many of the same SBOM working groups.
Brooks began his journey in software security as a software engineer at DEC in the 1980s when notorious hacker Kevin Mitnick broke into one of DEC’s source code servers. Today, Brooks spends most of his time working in CISA’s Supply Chain Risk Management group, which also includes the National Risk Management Center, which focuses on operationalizing SBOM data for agency use. He also works in CISA’s Critical Manufacturing Sector Risk Management facility, which focuses on National Security Memorandum 22, which harmonizes cybersecurity across critical industry sectors.
According to Brooks, SBOM gives security and response teams the visibility they need at the supplier, product and component level, which is crucial when the next Log4j vulnerability or SolarWinds-type breach happens upstream in the supply chain. “A lot of these vulnerabilities are reported at the component level, so they don’t get reported at the product level. SBOM shows you what components are incorporated, so when the next Log4j is released, you can see what components of what products are in that ecosystem. And at the product level, security people can ask, ‘Do I have any products running SolarWinds in my environment?'”
As RSAC made clear, security vendors see value in correlating and enhancing their toolsets with SBOM data, and Brooks and Silvia explain how automation can play a key role in delivering SBOM data to security and response teams.
Be sure to check out this 30-minute program, the discussion and insights are as entertaining as they are educational.
Additional resources:
On June 8, CISA began requiring product companies to provide software development attestations, which are submitted through the CISA RSAA portal.
Check out CodeSecure’s resources on authentication and SBOM generation from binaries.
The post How SBOM Data Strengthens Cybersecurity and Response Operations appeared first on CodeSecure
***This is a CodeSecure Security Bloggers Network syndicated blog written by Deb Radcliff. Read the original post here: https://codesecure.com/learn/how-sbom-data-enhances-cybersecurity-and-response-operations/