The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics (REA)

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,660 items added with 762,450 views
  • May 21, 2021

This item from Synopsys provides a reasonable analysis of the 5/12 Cybersecurity Executive Order that offers some prudent guidance to both software vendors and consumers. However, Synopsis description of SBOM doesn't cover the full purpose and benefits of SBOM in helping software consumers protect themselves from harmful software. Here's what's missing from Synopsys’s guidance on SBOM’s role in software supply chain risk management:

An SBOM is more than just an “ingredients list” of the components that are contained in a software package. A properly populated and signed SBOM also provides the following valuable functions for software verification used in risk assessments:

  • Identifies the actual software source (supplier ID) for the party that claims to own/license the software
  • Supplier Identification in the SBOM can be verified against information contained in the digital signature applied to an SBOM and a software package, that is being analyzed during a risk assessment. Any discrepancies between the digital signature identities in the SBOM and software package and the Supplier information contained in the SBOM should be flagged as very high risk.
  • Today’s software signing practices are lacking a key verification control; the ability to associate a Software Supplier with an authorized signing key. Currently, anyone with a valid signing key can sign any software package, regardless of who the Supplier is of that software. Validation tools, such as Microsoft’s signtool do not validate that the signers key “is authorized” to sign software supplied by a given supplier ID when checking the validity of digitally signed software.
  • A new process is needed to identify “authorized signing keys” for software suppliers that will be checked/verified before a CA issues a signing key/certificate on behalf of a party. Existing practices for issuing SSL certificates, using DNS CAA records, may serve as a model to address this need; perhaps one day we will see a Digital Signature Authorization (DSA) DNS record someday to identify authorized signing keys/certificates. Food for thought.

No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »