- May 21, 2021 2:11 pm GMT
This item from Synopsys provides a reasonable analysis of the 5/12 Cybersecurity Executive Order that offers some prudent guidance to both software vendors and consumers. However, Synopsis description of SBOM doesn't cover the full purpose and benefits of SBOM in helping software consumers protect themselves from harmful software. Here's what's missing from Synopsys’s guidance on SBOM’s role in software supply chain risk management:
An SBOM is more than just an “ingredients list” of the components that are contained in a software package. A properly populated and signed SBOM also provides the following valuable functions for software verification used in risk assessments:
- Identifies the actual software source (supplier ID) for the party that claims to own/license the software
- Supplier Identification in the SBOM can be verified against information contained in the digital signature applied to an SBOM and a software package, that is being analyzed during a risk assessment. Any discrepancies between the digital signature identities in the SBOM and software package and the Supplier information contained in the SBOM should be flagged as very high risk.
- Today’s software signing practices are lacking a key verification control; the ability to associate a Software Supplier with an authorized signing key. Currently, anyone with a valid signing key can sign any software package, regardless of who the Supplier is of that software. Validation tools, such as Microsoft’s signtool do not validate that the signers key “is authorized” to sign software supplied by a given supplier ID when checking the validity of digitally signed software.
- A new process is needed to identify “authorized signing keys” for software suppliers that will be checked/verified before a CA issues a signing key/certificate on behalf of a party. Existing practices for issuing SSL certificates, using DNS CAA records, may serve as a model to address this need; perhaps one day we will see a Digital Signature Authorization (DSA) DNS record someday to identify authorized signing keys/certificates. Food for thought.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.