[UPDATE MARCH 2, 2023: The National Cybersecurity Strategy has been published citing the need for SBOM's to aid consumers and re-balance cybersecurity risks. SBOM is now mainstream thanks to all the hard work of many people in the SPDX and CycloneDX SBOM communities and government partners at NIST and CISA]
[UPDATE July 23, 2023] Many of the MOVEit victims could have avoided this publicity if they were using the "Left of Bang" proactive monitoring approach described in this article. The CVE's used in the MOVEit attack were known about on May 31, 2023 and could have been mitigated.
[UPDATE July 26, 2023] The EU CRA latest agreement (July 19 2023) recognizes the important role of SBOM in vulnerability monitoring "In order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials. A software bill of materials can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, most notably it helps manufacturers and users to track known newly emerged vulnerabilities and risks. It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties."
The approach described in this article is a "Left of Bang" proactive approach used by software consumers to detect risks in software supply chains BEFORE a software product is installed inside an ecosystem and provides advanced warning of risks when a new software vulnerability is reported for installed software, allowing a consumer to take mitigating action to shrink the window of susceptibility and prevent harm. The benefits of SBOM are well known and documented "SBOMs also help organizations determine if they are susceptible to known security vulnerabilities in software components,''
My recent article requesting that Congress retain the SBOM provision in upcoming legislation has resulted in people asking how an SBOM is used to monitor for software vulnerabilities using a "Left of Bang" approach. Here’s the answer.
BEFORE PROCUREMENT and INSTALLATION OF SOFTWARE PRODUCTS
Step 1, ask your vendor for an SBOM describing the product and version you are interested in using.
Step 2. Use the SBOM to produce a Vulnerability Disclosure Report (VDR) for the software product you are interested in. Commercial tools are available for this step. A working example of a product VDR is available online.
Step 3. Examine the Vulnerability Disclosure Report for vulnerabilities and request the vendor to provide an updated VDR containing their assessment and fix status for each vulnerability reported in the product. Ask the vendor to make this “living VDR” available online so that a consumer can monitor for vulnerabilities and any vulnerability fixes that may be coming from the vendor. Ask the vendor to put a link to the online, living VDR in a Vendor Response File (VRF), along with links to other attestations required for OMB M-22-18.
AFTER INSTALLATION ONGOING VULNERABILITY MONITORING
Step 1. Load the product SBOM into the OWASP CycloneDX Dependency Track Tool
Step 2. Daily, review the SBOM vulnerability status in the Dependency Track tool looking for new vulnerabilities in your installed software products. NOTE: Dependency Track comes with an automated notification function to notify software consumers when new vulnerabilities are reported. No need to manually search.
Step 3. When new vulnerabilities are reported, download the online version of the VDR for the affected product and version from the supplier and check for updates from the vendor on any new vulnerabilities. Commercial tools are available for this step.
Step 4. Repeat steps 2 and 3.
These proactive vulnerability monitoring steps will help your cybersecurity personnel stay ahead of the hackers and reduce the window of susceptibility whenever a new software vulnerability is reported. Â
AND remember to preserve the tamper-proof evidence showing that these PROACTIVE controls are functioning. That may prove helpful in any lawsuits seeking to hold C-Suite Executives and BoD members personally liable in the event of a cyber-breach that results in shareholder lawsuits.